Enterprise Compliance Risk Management. Ramakrishna Saloni
are getting broader and deeper)
2. More supervision (both off-site and on-site) by the lawmakers and regulators
As a natural outcome of the two responses, compliance over the last decade has become, or more appropriately been made to become, a fundamental component of financial services by taking on a more formal shape and structure. The challenge that this evolving structure is grappling with is to “comply” with an ever-expanding plethora of regulations. That leads us to two interesting questions: What is compliance? Where does it start and stop? There is apparently a simple answer to the first and a not-so-clear one for the second. Two definitions or descriptions of compliance provide a good starting point for the conversation. It is important to understand that present-day compliance, particularly in the regulatory context, has two aspects:
1. The actual adherence to standards and regulations
2. Demonstrated adherence to standards and regulations
The first is an understood and accepted high-level expectation from the compliance function. It is the second that is worth a closer look. The compliance universe will be increasingly tasked with the responsibility of “demonstrating compliance.” Demonstration at a fundamental level makes two demands on the system. The first is the expectation of transparency and free flow of information. The second is the tracking and recording of proof of compliance. It is these aspects that will increasingly challenge organizations on multiple fronts. Starting from information and people silos, to lack of proof points, to deficient communication, and to actual noncompliance, there are many systemic issues that need addressing.
The emphasis is both on increased transparency as well as on greater enforcement. We will revisit this aspect under the section on real-life issues of compliance. The relevance of this definition is to illustrate the point that the understanding of and expectation from “compliance” is expanding manifold. The Australian standards discussed next add additional depth to the conversation.
Australian Standard AS 3806 – .2006 describes compliance as “adhering to the requirements of law, industry and organizational standards and codes, principles of good governance and accepted community and ethical standards.” As a practitioner, I see this as a more appropriate and encompassing definition. Particular mention needs to be made of the last part of the aforesaid description. The specific callout of “principles of good governance and accepted community and ethical standards” interests me, because the earlier part is the “letter” aspect of compliance, and the latter one is the “spirit” aspect. The overemphasis on the first across time has, as we have seen, not been effective. This definition puts the focus where it should rightfully be – on the intention to encapsulate principles of good governance and business ethics at the core of compliance.
The 2012 LIBOR (London Interbank Offered Rate) scandal is an example where a highly respected body of bankers flouted basic business ethics and took the entire system for a ride. We will discuss the scandal itself in some detail under the Real-Life Cases. For now, the reference is to highlight the fact that the foundation of positive compliance is good governance and sound business ethics. It is the bedrock of sustained and balanced growth. The absence of this bedrock could give monetary gains in the short term but would collapse like a pack of cards when it is discovered that the “business ethics” foundation was faulty or nonexistent. There are proof points galore on this from Northern Rock to Bear Stearns to Countrywide Financial to Washington Mutual to Lehman Brothers, apparently infallible organizations whose names do not exist anymore because of one crisis.
Impact and acceptance of compliance risk as a critical risk in a short period of under a decade is evident through the fact that it is today considered at the top of the risk table. This is because of the challenge of balancing business objectives and the environmental expectations as detailed through several laws and regulations. Imbalance leads to compliance risk. Compliance function is tasked with managing the conflict of interest and to ensure that a win-win situation is created, which is a tall order to say the least.
The other fundamental challenge of compliance risk is that it cannot be addressed through a capital cover, a fixed percentage of capital say, the 8 percent prescribed for the traditional risks like credit, market, and operational risks. There is no “fixed downside” that can be provided for. This is because it is difficult to both quantify the quantum of compliance risk that a bank carries and truly provide for a worst-case scenario. This aspect will be discussed in some detail in the section on risk management.
From an evolution perspective compliance expectations have always been associated with every passing regulation. In the earlier times different disciplines within the organizations would subsume the responsibility of fulfillment of the related obligations. Formation of a compliance function can be traced to the late nineties when regulators like Reserve Bank of India called for the introduction of a “compliance officer,” a trend reflected in other countries like UK's MLRO, where it was made mandatory to have a “nominated officer” in 2007.
But most of these measures were disjointed and sporadic responses, and both regulators and industry soon realized that the area of operations of compliance “needed not only to be enlarged but very clearly defined.”3 What all of the recent regulations topping off with the BCBS 2005 guidelines have done is to establish compliance and compliance function as a necessary part of the industry. As one regulator put it, “In a sense, the need for compliance can, effectively, be equated to the frictional force which, though it impedes the progress a bit, is still necessary for movement. Compliance works more as a lubricant which oils the business machinery and keeps it going.”4
For a better appreciation of the context, it is important to look at both the past and present events that have shaped the content and structure of compliance in financial services. From there, it will be possible to look at the possible future more realistically. I must confess that my respect for historians went up manifold as I realized how difficult it is to get comprehensive and objective information chronologically, if at all, as you try to wade through pages of history and stitch them together in a logical and cohesive way.
Tracing the history of formal compliance initiatives in the financial services industry will not take us too far back because compliance as a distinct subject is fairly young. An attempt at formally defining “compliance risk” and acknowledgment of its place among the risk categories is as recent as the BIS definition in 2005. But rules and the expectation that they be complied with and the breaches thereof are as old as mankind itself. How old? Well, the first known compliance breach, like I mentioned in the preface, is as old as Adam eating the forbidden apple!
Through history there have been rules as well as people and organizations that have broken them, leading at times to dire consequences. The concern is that people and organizations have not learned from these consequences. It almost seems like organizations have developed a sense of selective amnesia with respect to the possible negative outcomes. They tend to do the same or similar mistakes, both consciously and unconsciously. Later in the book I will discuss examples of some of the large and prospering organizations that have disappeared from the face of the earth because of breaches explicit and implicit, under the heading “Lessons Not Learned.” For now the focus is on gaining a peek into the history of compliance in financial services.
Tracing the word compliance per the Merriam Webster dictionary, the first known use of the word is circa 1630. The first known use of its base word comply was 1602. The origin is from the Italian complire and from Spanish cumplir, which means to complete, perform what is due, be courteous, a modification of Latin complēre. Each of these components is applicable even in today's organizational context. However, since the effort here is to trace the concept in the context of financial services, the start date will be the twentieth century forward.
In financial services, it is not an exaggeration to say that the history of compliance is closely connected with regulations; and regulations have, more often than not, been after-effects of scandals or crises, incidents that shook the economy (call it panic or recession). In a way, tracing financial crisis points across time gives a fair idea of the development of regulatory framework and, by extension,
3
K. C. Chakrabarty: “Compliance function in banks – back to the basics,” July 12, 2013; http://rbidocs.rbi.org.in/rdocs/Speeches/PDFs/SIIBF160713.pdf (reprinted with the permission of RBI).
4
Ibid.