Podcast transcript: Compliance transformation: How new challenges are driving change

16 mins 12 secs approx | 28 April 2021

Sajedah Karim

Hello, everyone, and welcome to the next EY Compliance and Conduct podcast. My name is Sajedah Karim and I’m a partner in Financial Services Risk based in London (Ernst & Young LLP). Today, I’m joined by Kara Cauter and Stuart Crotaz, who are Risk partners for capital markets conduct and compliance (Ernst & Young LLP), and by Michel Grummel, who is a partner in our forensics team, and conduct and compliance lead for our Netherlands practice (EY Advisory Netherlands LLP).

Today, we’ll be discussing compliance transformation. So, over time the compliance function has evolved from working in organizational silos with little to no cross-functionality across other business lines, for example, sales, legal, and HR, to a change to the current state of cross-functional teams collaborating on key compliance and risk initiatives.

Now, new and unforeseen challenges are driving changes to the current state model. For example, financial markets are changing. They run at pace. They’re data-enabled, high-volume, digitally delivered, and increasingly tailored. Regulators are raising warning flags about lack of investment in compliance technology and capability and the COVID-19 pandemic is producing new and unforeseen challenges, including conduct and large-scale, rapid digital transformation.

So, in this podcast, we’ll be looking at compliance transformation, the conduct environment, and the current digital shift to end-to-end, agile, data-centric decision-making. I’m going to turn to our first guest, Michel. Michel, I’d like to start by asking you about the recent challenges firms have been facing in the conduct environment.

Michel Grummel

Thanks, Saj. Remote working gives a lot of challenges for everyone, also when it comes down to conduct. The recent pandemic has caused firms to assess the human impact of both the societal challenge on staff as well as the way in which the positive culture of the firm can be maintained or in the case of new joiners developed in their team. Many now see the wellbeing of staff and the ability to train and support teams in each of the three lines of defence as one of the most important and yet less well-understood aspects of the market changes.

The COVID-19 pandemic will also have created a better work-life balance for some and, as such, many people may now want to maintain some level of working from home. This, however, causes challenges such as producing a greater risk of misconduct. Firms will be able to find creative ways to connect their teams. Nevertheless, the reduced face-to-face training and oversight creates heightened risk and will be a key area of focus for firms, as well as for regulators.

Regulators will wish to understand how firms will look to assess the wellbeing of staff and the impact of their conduct and decision-making. This is highlighted by the reduced physical supervision, a limited team connection to colleagues and, for those who are new, to the organizational culture within which they are expected to operate.


Yes. Thank you, Michel. I think every time we speak to clients at the moment, there’s this question around this shift to working remotely and how it’s going to affect the conduct and compliance environment. What’s your take on what other impacts there might be?


Yes. That’s an interesting question. Previously, the compliance office and the business advisory team would rely partly on face-to-face contact and the reading of body language to maintain cultural expectations within the front office and to identify potential misconducts. There’s a question now on how misconduct is identified without the physical oversight of compliance officers and management sitting at trading desks.

There are also fears that individuals may feel despondent and are detached from the values and purpose of their firm. Therefore, there’s an opportunity for compliance to re-evaluate and strengthen their role in this area. Where in the past we saw that data was predominantly used to identify risk, misconduct, or even wrongdoing, nowadays we see a clear shift to also use data to identify who needs support and proactively reach out and support their staff.


What’s your take, Michel, on culture and challenges that firms will face as a result of the new ways of working?


Well, there are clear worries that over time a firm’s culture may start to be impacted by the recent digital shift and hence there will be a renewed focus in looking to update conduct dashboards to track key culture data attributes from the first line of defence. This can include a broad range of data from metrics such as instances of late booking of trades to softer indicators such as the use of inappropriate language in internal communication channels. Firms will also be looking to reaffirm their culture through enhanced training and increased communications around their policies and procedures.

Finally, some firms have created specific supervision frameworks against which to assess managers as they oversee remote teams including the tracking of behavioral metrics of staff to determine whether managers are appropriately disseminating firm culture, for example, through cascade calls. Compliance role is then to identify any resulting trends and act as a supervisor to monitor key indicators and deal with any escalated issues.


Thank you, Michel. Really interesting thoughts there. I’d like to turn to Stuart if I may, please. Stuart, we’ve already mentioned some of the challenges the modern compliance function faces. What’s your take on additional challenges?

Stuart Crotaz

Hi, Saj. Yes. I think some of the challenges for compliance now are going to be wrapped up in the strategic and structural changes that we’re seeing firms implementing. In particular, firms are looking to address cost, they’re looking to address the new digital channels, and think about a post-pandemic environment. So, I think there are probably three things that I would call out as being the real challenges for compliance going forward.

Firstly, there’s the need for compliance to support the business growth agenda, having previously been far more in a protection and defense space. By that I mean the need to be more aligned with business strategy and able to be part of building a new technology-enabled environment. Now, for many compliance officers that will feel a challenge to independence and maintaining that independence will continue to be important, of course, but doing that as part of an enterprise-wide growth agenda is where I think the real skill will come from. So that’s the first.

The second challenge, I think, will be around providing completeness of coverage. Regulators are going to be looking for that, especially in a more remote working environment. At the same time, compliance is going to need to manage cost down and demonstrate value-add to management. So, in short, compliance will have to do more with less and to achieve that, they’ll need to harness technology to identify and manage risk, especially in areas such as conduct risk where there often isn’t a binary answer.

Then, finally, to achieve these, compliance is going to need to think about its own operating model, as many now are, and harness the knowledge it already has. So, by that I mean that compliance has information through testing, advisory, surveillance, thematic reviews. Now they’re going to have to bring those together to understand the bigger picture and provide an early warning system. Doing that is going to need different skills and you can already see that the compliance function that’s emerging will be smaller, more experienced, more technology-skilled, and will operate probably more closely with the first line.


Really interesting, Stuart. You certainly see all of those trends beginning to emerge, don’t you, as green shoots as you go and speak to various clients across our markets. What about the cost agenda? What are your thoughts on how that will be impacted?


Inevitably the cost agenda is high on the list for all firms and I think that goes hand in hand with the evolving role and value of compliance. Regulators and management are both expecting compliance to establish a strategy that pre-empts potential risks rather than deal with threats once they’ve occurred. We can certainly see that when you look at, for example, the Financial Conduct Authority’s (FCA) five conduct questions and their expectation around a conduct strategy that equips the organization to identify and manage these threats to the business and to customer outcomes before they occur.

So, part of that narrative will be for compliance to help embed day-to-day regulatory controls into the business and then demonstrate traceability within that model. We see the rise of compliance coding being one of these and regulatory mapping clearly being another. So overall the role of compliance in managing that cost agenda probably I would put into three elements.

Firstly, to act as an insightful business advisor as the bank undergoes digital transformation. Secondly, to support the development of an optimized, end-to-end set of processes which trace the rules and requirements through the life cycle of the business. Finally, to provide the governance of emerging risks through embedding smart controls to provide continuous monitoring capabilities and customized, actionable insights to leadership.


Thanks, Stuart. You always see, more and more so now, that some of the data that the different divisions within an organization need is all the same, frankly. It’s just used in slightly different ways and that trend in particular leads me to my next question around, how do you see compliance interacting with other functions going forward?


I think that’s really interesting, Saj. That’s definitely a move that we’re seeing. A number of compliance functions are already split by risk type, for example, in cyber, operational risk, data ethics, but we’re certainly seeing a move to either a fully non-financial risk second-line function, if you like, or one that is more clearly aligned with those other risk disciplines across the second line.

There’s a question of ownership around regulatory obligations and I think there’ll be a blurring of the line between first and second, but overall I think compliance will look to make the right use of small and medium-sized enterprises (SME) and expertise to increase cost-effectiveness and provide what many business users might term a single view of risk, a single view of regulation, and overall improved communicated risk assessments.


Thank you, Stuart. That theme takes us on to, well, to do that, in order to really enable that, you need to have a lot more power behind data and technology. I wonder if I can move to Kara, who has been really active in that space across the market and, Kara, perhaps get your view on how you see the future of the compliance function evolving.

Kara Cauter

Yes. Thanks, Saj. I guess I’d just build maybe on what we’ve heard from Stuart and Michel, which is, certainly over the last several years we’ve seen compliance functions evolving certainly in a lot of firms from real organizational silos definitely towards a mentality about being part of a team that’s really working cross-functionally on some of the key initiatives that their firms are facing. I think what we see now is that some of the really leading-edge compliance functions are aiming to be much more end-to-end agile, involved very much from the idea of the business or service right through to where we most often see them now, which is really monitoring the compliance risks that arise from delivering that business or service.

To do that, they’re looking to become much more data-centric, looking enterprise-wide to think about how they use data to actually help them better assess and provide more insight to business and management on the sources of compliance risk that are arising. I do think as a result of that they are looking to work more closely with the business and, picking up on Stuart’s point, to help the business really understand how they can embed agile and smart controls in the way that they’re actually designing their products, designing the supporting processes, and designing the supporting technology.

With EY regulatory and compliance manager, it’s a really good example of how technology can help firms to do this. We’re developing a leading-edge, next-generation, artificial intelligence (AI)-enabled regulatory solution and that actually combines, clearly technology, but also understanding of process and our market-leading domain knowledge around regulation and financial services to enable both EY teams and EY clients to really understand how the business links through to regulatory obligations at a granular level and therefore be able to understand the implications of regulation for both the strategic direction of the business but also so that they have more information and they can make better decisions about managing compliance risk on a day-to-day basis.


Thank you, Kara. I think it is the whole piece around, you can have masses of data, but it’s the business knowledge and the know how around how you really need to use that data which is, I know, the journey you’ve been going on for the last 18 months or two years. Where else do you see data and technology fit into firms’ compliance transformation strategy?


Yes. I think there’s two ways in particular. The first and certainly the area of most interest to management is virtually real-time insight on, where could risk be arising and how can they much more proactively and predictively ensure that they are mitigating and eliminating compliance risk and how do they do that by having the right data coming to them at the right time?

I think related to that, getting into the more detective end of the spectrum, is then testing and monitoring, which over many years, despite advances in technology, has often been relatively manual, now becoming increasingly automated, which really means there’s an increase in both the efficiency but also the intelligence because you can reduce the number of resources required to reach compliance and actually increase the scope and the depth of the analysis that you’re doing as part of that testing and monitoring cycle.

So, I think as a result of that, that really doesn’t eliminate the need for the compliance function. It really frees the compliance function to focus on the value-add they can give to the business and really advising them on how they directly meet their regulatory obligations and working closely with them on that front-to-back creation of products and services and activities and then monitoring the life cycle of those services as they’re delivered to clients on an end-to-end basis.


Thank you, Kara. I think just listening to the three of you there, it’s really apparent that compliance will remain a strategic hot topic given both increasing regulatory pressure and the need for data-centric, cost-effective compliance. I think further transformational challenges such as the COVID-19 pandemic are also providing new and unforeseen hurdles that businesses will need to find innovative solutions for and continue to adapt to.

For anyone who wishes to delve deeper into the recent thought leadership around some of the topics discussed today, please use the links posted on the podcast homepage. I think with that, I just want to thank Michel, Kara, and Stuart again for all of your thoughts and thank you, everyone, for listening.