Firms are proceeding to adopt a new model of an evolving tech-enabled compliance monitoring and advisory function that can be seen as a strong business partner and trusted advisor with a more proactive and forward-looking capability.
Enduring compliance structures and evolving relationships
Traditional risk types dominate compliance, and relationships with the first line are strong.
Some firms are actively considering significant structural changes to their compliance functions, but most continue to split their compliance teams by risk type and / or compliance activity. The top three risk types currently overseen by compliance functions are regulatory risk (100%), conduct risk (95%) and data privacy (81%). Compliance teams are least likely to oversee third party risk (38%), cybersecurity (38%) and operational risk (33%).
These findings show that the traditional scope of compliance has remained constant. While involved, the compliance function has not typically taken full ownership of new and emerging risk types, particularly other non-financial risks such as cyber and data ethics. There is less consistency around where these emerging risk types sit within firms – they do not appear to have as much of a “natural home” as regulatory risks. In addition, some banks have merged non-financial risk with conduct and compliance, while others have kept them separate and distinct.
Firms share common approaches to the task of identifying emerging compliance risks. Most banks (95%) perform external horizon scanning of outputs from regulators and monitor regulatory affairs; for which 90% of banks also draw from internal metrics; and 76% rely on escalations from the first line.
A third of banks use other methods, such as attending stakeholder meetings with the business, tapping into peer discussion forums, attending trade body meetings (e.g., with UK Finance and ORS GROUP) and engaging with other industry forums and consultancies.
In most firms (57%), the regulatory relations or liaison team sits outside the compliance function. However, this tendency to keep regulatory relations or liaison distinct from compliance appears more prevalent across continental Europe. Most UK firms position their regulatory relations teams within the second line.
Firms have taken significant steps over the years to clarify and improve the Three Lines of Defense (3LOD) model, enhancing communication and moving toward defined and segregated responsibilities. Firms across the UK and Europe generally report strong working relationships between compliance and first line colleagues (rated as 7.6 / 10 on average). Most banks perceive the division of roles and responsibilities between compliance and the first line as quite clear (68% giving ratings of 7 or 8/10).
Further, firms describe little challenge in evidencing the independence of compliance from the first line, with a number of banks noting “no substantial” or “little” challenge. Others explain that while there are some challenges, overall “the situation is generally good”. Some identify challenges relating to “blurred roles in terms of oversight” or “in relation to specific topics”. This is supported by the fact that 58% of firms say that “some” (48%) or “a lot” (10%) of the activity carried out by compliance should be conducted instead by the first line.
Hence, although the relationship between the two lines of defense seems more constructive than it potentially has been in the past, there remains a tendency for compliance, at times, to take on work on behalf of the first line. Strengthening first line capability will be a key focus in 2021, to allow compliance teams to conduct their independent, thematic work and to support the ongoing relationship between the first line and compliance.
However, the burden on compliance could be further alleviated, particularly in areas such as monitoring and compiling reports and MI – activities that, as set out below, firms identify as appropriate for technology solutions or automation. This would help to release capacity within the compliance function for proactively addressing some of the new focus areas and taking a greater role in shaping firms’ responses to emerging threats.
Realizing the vision of a tech-enabled compliance function
The COVID-19 crisis could catalyze data and technology adoption, transforming compliance impact.
Compliance functions in the banks that we surveyed are prioritizing data and technology adoption over the next 12 months. Among survey participants, the most highly rated focus areas are technology adoption, achieving a more data-driven approach and supporting business growth.
These priorities are seen as complementary, and to be conducted simultaneously, to supporting the firm, customers and wider stakeholders in exiting the COVID-19 pandemic through 2021. For example, compliance teams will continue to provide oversight of the impact of payment breaks and payment deferrals, which have proved a lifeline for banks’ personal and small business customers.
The lower priority areas for compliance in the coming months include the more “traditional” compliance activities, including developing and enhancing policies and procedures, monitoring and oversight, remediation and, interestingly, cost reduction.
Overall, most firms67%
report that 2021 compliance budgets will increase or stay the same.
The topic of cost reduction triggers some contrasting expectations by geography. Overall, most firms (67%) report that 2021 compliance budgets will increase or stay the same. However, 71% of non-UK banks expect their budgets to increase, whereas 100% of UK participants expect budgets at best to stay the same, but more likely to decrease. This divergence is likely to reflect the scale of investments made historically to respond to regulatory expectations.
Survey responses across all firms suggest that the adoption of technology and automation will be focused on areas where the compliance team currently spends a disproportionate amount of time: compiling MI and reporting (75%), horizon scanning for regulatory change (38%) and performing routine compliance monitoring (38%). Investment in data and technology in such areas will improve compliance function efficiency and provide the quickest return on investment. It will also enable the compliance team to devote more time and attention to forward-looking, proactive and value-adding activities. Firms consider these to include performing thematic reviews and trend analysis, performing market and trade surveillance and providing high value advice to the business.
Overall, survey participants feel that the adoption of technology, machine learning and AI are still very much “work in progress” and that more could be done to maximize their impact. As expected, the larger firms are generally making increased use of technology, having the advantage of scale in building the business case for investment. Firms with a customer base of >100m rate their technology adoption higher (33% at 7-9/10 and 67% at 4-6/10) than those with <10m (33% at 7-9, 44% at 4-6 and 22% at 1-3).
There is broad consistency around where technology is initially being applied, the most common areas being compliance monitoring and surveillance (70%), MI and reporting (65%), horizon scanning and regulatory inventory management (60%) and risk identification (45%). Firms are starting to use data analytics, particularly within compliance monitoring and surveillance (80%). However, only 25% are using data analytics for real time MI dashboards. UK firms are most likely to use data analytics for risk identification and monitoring, perhaps due to the regulatory focus within the UK market.
Firms unanimously recognize the need to embrace technology, but substantial obstacles are impeding adoption. Firms highlight the lack of capacity of current resources (a key blocker for 67%), coupled with a lack of relevant technology skills in-house – whether within or outside the compliance teams themselves. Many respondents (88%) identify competing pressures with other compliance priorities. Therefore, it seems that compliance teams are too thinly stretched in performing their day-to-day roles to allow time to fully consider the broader adoption of technology. Most have yet to achieve the “virtuous circle” of making time for technology adoption, which could increase compliance efficiency and effectiveness, and which could free up time and capacity to consider further efficiencies and to focus on more value-adding activities.
This could be about to change. The new ways of working enforced by the COVID-19 pandemic largely depend on technology. Could one of the rare upsides of the pandemic be that compliance forges a way through its historic blockers to enable rapid and sustained technology adoption?
Embracing change while retaining core compliance principles
Firms see the potential for new ways of working and adding new skills to the competency mix.
Most firms recognize that the COVID-19 pandemic has accelerated the pace of change for compliance. The majority of firms (57%) report “facing increasing compliance risk” due to the pandemic, while 38% identify “accelerating plans to implement technology solutions within the function” as another key impact on compliance. Almost a quarter (24%) say that the COVID-19 pandemic has “enabled identification of issues or inefficiencies within compliance processes and systems”. However, the pandemic has had less impact on plans to change the way in which the compliance function is structured (19%), and there remains a strong desire to maintain core compliance principles, which firms continue to value highly.
Firms are evolving their thinking in relation to agile working, showing more willingness to adopt such approaches. Originally associated with customer-focused IT projects where failure is an option, agile methodologies were not initially thought appropriate for compliance functions. However, it is clear that banks are finding value from agile experimentation within compliance, adapting it to suit particular needs and circumstances.
The appetite to “proceed with caution” to an agile, technology-enabled compliance world is reflected in the skill set required by compliance officers – now and in the future. “Understanding of the business” and “knowledge of local regulations” are the top ranked attributes of compliance professionals both now and going forward. Several participants describe these as “hygiene factors”: however technologically expert a compliance officer might be, without these core skills, they would not be able to do their job.
The skill mix is changing, however, with greater emphasis being placed on digital and technology skills in future. Although “knowledge and experience of working with technology”, “data and analytics” and “being digitally savvy” are currently ranked sixth, seventh and eighth, they rise to third, fourth and fifth respectively in the desired future skill set. “Direct experience of working with the regulator” and “people management” are currently ranked third and fourth in terms of attributes of compliance professionals but fall to eighth and ninth in the rankings of future skills required.
Overall, compliance teams understand the importance of evolving their capabilities and of responding to the changing demands of the firm – but not at the cost of alienating valued, longstanding personnel or losing sight of core compliance principles which continue to underpin successful compliance functions. They also recognize the need to support their compliance professionals in the current conditions. Developing compliance talent programs and training and development schemes, as well as ensuring objectives are set in close consultation with staff, are just some of the ways firms are seeking to keep staff motivated and engaged in firm strategy and goal setting during this prolonged period of remote working.
Recognition of the need for change is evidenced by the way some banks are appointing senior compliance professionals with a strategic, operational or IT background. Such individuals may be able to bring a more strategic, independent view - where compliance becomes more closely aligned with firm strategy, takes ownership of emerging and non-financial risks, and has the capability to embrace new technologies and ways of working. Sometimes a fresh and objective perspective can drive a cultural evolution that builds on existing strengths; but is not restricted by them.
In 2021, some compliance functions will be focused on the implementation of new operating models or the establishment of “hubs” or “centers of excellence” in order to improve their oversight model, move away from low value advice and generally increase efficiency. As teams return from remote working, what better time to consider restructuring compliance functions and revisiting the scope of compliance. Substantial synergies in terms of efficiency and insight are the prize.
Some firms remain focused on achieving process improvement and cost efficiencies by adopting technology solutions, automating monitoring and surveillance processes where possible, and seriously considering or actively adopting more data analytics into their MI and reporting. Some firms may want to start small – experiment with different technologies before opting for large-scale adoption.
Such responses are part of the solution but need to be combined with investments in people – including attracting new types of expert and developing new skills among existing compliance professionals. Combining new structures, new technology and agile methodologies with a wider mix of skills really could deliver a compliance function equipped to act as a true business partner.
Expectations for compliance function transformation are not new. What has changed is the impact on technology and working methods of the COVID-19 pandemic. Compliance functions have had to adjust and the potential for further change is clear. EY’s benchmarking survey of European banks shows firms are open to opportunities available from embracing new technology solutions, data-driven approaches, and to adding new skills in technology and data to existing compliance capabilities. Further benefits can also be gained by restructuring compliance functions to drive synergies and embrace new risk types. Amid such change though, traditional compliance knowledge and principles remain highly valued.