The regulators’ perspective
Most regulators welcome the prospect of “collaborative compliance” with cautious enthusiasm. While they are wary of risks — particularly their lack of direct oversight of many service providers and the repercussions of flawed data in a shared services ecosystem — most embrace the opportunity for shared services models to improve outcomes. They also see potential for these models to enhance competition by making complex compliance capabilities available to smaller market participants. The US Office of the Comptroller of the Currency has said that it believes collaboration around compliance could strengthen the “future vitality” of community banks and that it “supports community banks in exploring opportunities to achieve economies of scale and the other potential benefits of collaboration.”
One clear and consistent message from regulators around the use of third-party providers is that all risks associated with use of data remain with financial institutions. In announcing its latest public consultation on outsourcing, the European Bank Authority reiterated its stance that “Institutions should be able to effectively control, challenge the quality and performance of outsourced processes, services and activities, and carry out their own risk assessment and ongoing monitoring.” This is a challenging ask in a complex services ecosystem.
How can we clear hurdles to adoption?
Adoption of the next wave of compliance-led shared services models in financial risk management and compliance has been slow to accelerate, despite the opportunities that new technology offers to reduce costs and improve operations and outcomes through collaboration.
A number of significant hurdles have hindered adoption, but these could be overcome if banks and regulators act now:
Hurdle: regulatory confusion leads to duplication. Even when banks outsource compliance functions, concerns around regulatory expectations are prompting many to carry out shadow processes in-house to mitigate risk. And with no industry-wide standards to assess and monitor potential vendors, these efforts, too, are duplicated across many individual firms, undermining cost benefits and dampening enthusiasm for wider rollouts.
Solution: clarify accountabilities. It’s understandable that financial institutions are cautious about outsourcing compliance when regulators will still hold them accountable for any breaches by shared services providers. This can be overcome by institutions and providers working together to document processes, confirm that providers understand regulatory obligations, and clarify risks and roles.
Hurdle: legacy manual processes. Many shared service providers are yet to evolve their manually driven processes, which limits the ability to derive real cost and efficiency savings.
Solution: comprehensive digitization and automation of processes. True transformation of compliance processes will be digitally driven, but full automation will require commitment and resources from both shared services providers and their customers. Greater uptake of these services will drive the scale needed to encourage utilities to invest in technology, which, in turn, will further boost their reach across the sector.
Hurdle: reputational and regulatory impact if it still breaks. Some banks are waiting to invest in shared services until regulators offer more clarity around their expectations and support in case of any “teething issues” experienced through the use of new technologies and utilities.
Solution: regulatory flexibility and support for innovation. Regulators are acknowledging that transitioning to new models and new technology may not always be smooth. Many, including an innovation network brought together by the UK’s Financial Conduct Authority (FCA), are rolling out “sandbox” initiatives to test what the FCA describes as “innovation-related topics.” There are opportunities to extend this sandbox approach beyond specific new services to include broader utility proposals, which could, in turn, help support firms work more effectively with service providers to provide smooth transitions to collaborative models. Financial firms and service providers can help themselves by improving planning and governance over transitions to new operating models.
Hurdle: inconsistencies in data and regulations. Shared services providers are finding it difficult to develop standardized, leading-class risk approaches due to the fragmented, inconsistent processes, use of data and definition of standards by financial institutions and regulators.
Jurisdictional differences in regulatory definitions, rules and regulations — in particular, complex, and often conflicting, data privacy requirements — are complicating efforts to centralize information in shared services centers. Even when data can be pooled in data lakes, concerns around resilience and security lead some firms, regulators and even the public, to favor a decentralized model, perpetuating fragmentation.
Solution: fix it, shift it and create a single version of the truth. Maximizing the benefits of investment in utilities will require financial institutions to clean up their data and align patchwork processes to prepare for a phased, controlled shift of data to shared services providers. In this way, they will prioritize changes to processes while enhancing the ability of providers to harmonize and offer leading-class approaches.
For regulators, standardization of rules can allow machines to take on more compliance tasks. Building this scale will accelerate momentum, boosting the development of standardized processes, technologies and data repositories.
Act now to accelerate adoption
Shared services have the power to unlock the true potential of technology to improve financial compliance and risk — but only if they can evolve for a digital era. Financial institutions, service providers and regulators will have to work together if they are to overcome the hurdles holding back these models from achieving the reach, scale and sophistication needed to match the operations of both leading-class financial market participants and malicious actors.