Compliance in financial institutions: that “coming storm” is now here

Today’s financial institutions face an increasingly complex regulatory landscape, due in large part to a growing focus on consumer privacy and data protection, as well as new environmental laws and corporate governance frameworks. The consequences of getting on the wrong side of this new regulatory agenda can be devastating. In the last few years, financial institutions — Goldman Sachs, Wells Fargo, and JP Morgan Chase, among others — have paid, in total, nearly $12 billion in fines.

The loss in revenue is just the tip of the iceberg. There’s also the reputational damage among consumers, potential loss of business partners, employee turnover, and loss of confidence in the institution’s management. Banks have learned over recent years that any form of negligence within this realm of operation can lead to big losses, particularly considering how strict the legislation in this sector has become.

Recently, Steve DeLaCastro, Ricoh’s Vice President of Financial Services, sat for a question and answer session to share his perspective on the challenges and opportunities of financial institution compliance.

Steve: Of course, banks have always had compliance models in place, but given the current regulatory environment, it's understandable that they're renewing their focus on their compliance culture and processes. The traditional compliance model was designed with a different purpose in mind, functioning in largely an advisory role with little focus on risk management or its identification.

Instead, the traditional model focused largely on these areas: preventing data theft; safeguarding the bank from government fines; protecting against tax evasion and money laundering; ensuring that ethics standards were adhered to; identifying and analyzing potential risk areas; and on occasion, creating a compliance program or formulating policies. That is the compliance department, frankly, of a few decades ago.

Steve: Compliance leaders now play a much more pivotal role in how their companies manage and communicate about these and other risk areas. This entails demonstrating to investors, customers, and other internal and external stakeholders that data protection, climate change and social responsibility are core corporate values.

Here is the harsh reality for compliance leaders. Evolving, complex, and often vaguely defined issues and regulatory frameworks have simultaneously emerged — enterprise wide, at ferocious speed, and ranging from sustainability and social responsibility to concerns around privacy and data security.

In response, the compliance discipline can no longer be viewed as an “advisory” function. Instead, there must be an organization-wide compliance mindset with compliance leadership from the C-suite. In that function, they are instrumental in creating a firm-wide compliance culture, guiding the business on how best to battle through their risks, advising on the matter of sound compliance technology decisions, and leading the charge to build resilience across the entire organization.

At the more forward-thinking institutions, compliance is now migrating beyond the four walls of the traditional “compliance department” into other areas of the organization. The sustainability and risk management functions are now sharing some of the responsibility. But for this shift to occur, the entire enterprise must be silo free, highly integrated, and agile. We have an uncertain economy ahead, geopolitical unrest in many parts of the world, and evolving regulatory rules and regulations. When compliance feels the heat, so does the entire organization.

Steve: Well, the topic that always comes up is data, which is really about information. And, not just the management of it, but getting the best ROI from it. Along with that, protection of it. So, I would say that most of the bankers we talk with, when we’re talking about compliance, their biggest concerns are information protection, i.e., cybersecurity and the new, somewhat foggy frameworks around ESG (Environmental, Social, and Governance).

In a Deloitte/FS-ISAC survey last year, bankers agreed they’re concerned about cybersecurity. Those concerns include a host of factors ranging from a borderless workforce, Shadow IT doorways, upskilling employees to consensus building, and the role that IT will play. And then there’s the host of factors centered on IT alone. Are the resources available? What is the relationship between IT and cybersecurity?

Some banks see cybersecurity as an IT function, which can get complicated, while others see these as two totally separate and independent functions. Is either of these scenarios ideal? Probably not. I know it sounds like a lot of questions, but banks will never get to the right answer if they don’t ask them.

I do know from my conversations that the banks feeling most “comfortable” in this area are those that are investing in emerging technologies such as cloud, data analytics, AI, ML, and robotic process automation. They’re also the banks that manage the decision-making process around integrating new technologies well, and understand that processes and decisions must be integrated across the entire organization. In the end, a lot of it comes down to how the cybersecurity function is orchestrated.

Steve: ESG is a 900-lb gorilla. From climate change and greenhouse gas emissions to workplace safety, human rights, and diversity, the regulations around ESG are quickly multiplying and evolving. Along with these regulations are coming compliance regulations around some highly specialized areas such as environmental P&L, impact investment, and carbon productivity, to name just a few.

As a result, there is growing pressure from customers, employees, and a wide range of both state and federal regulatory agencies, including the SEC, Department of Labor, EPA, and Federal Energy Regulatory Commission — all of which are in the process of developing their own climate principles and guidelines. The pressure is on for banks to have a compliance strategy in place that will provide the needed collecting, monitoring, analyzing, and reporting functions.

As you can see, the ESG area, perhaps more than any other, requires compliance to have continuously relevant, adaptable, and tech-driven regulatory change and related risk management programs.

What steps can banks take now to meet the demands placed upon their compliance function by internal and external stakeholders — especially in the areas of cybersecurity and ESG?

Cultivate a compliance mindset

Compliance functions are maturing, shifting from a reactive and advisory role to a more proactive, collaborative one. C-suite leaders must cultivate a compliance mindset that socializes its critical importance across the entire organization. Cybersecurity and ESG must be a priority, not just for the compliance function, but for the entire organization.

Build consensus to tackle data challenges

The lack of data and information to properly identify and assess exposure to risks is a growing challenge. A seamless, enterprise-wide data management and information-sharing process is needed to allow leadership to efficiently collect, monitor, analyze, share, and report risk information and insights. To achieve this transformation, banks will benefit from building consensus around onboarding the needed technologies.

Break down departmental silos

Compliance, risk management, and corporate sustainability have traditionally been viewed as three distinct disciplines and departments. But as compliance demands grow, there is a need for greater alignment of these areas. Banks must integrate from end to end. Do away with silos completely. It’s easier said than done, but technologies can assist.

Explore and adopt the right technologies

New technologies such as AI, ML, and cloud can make a bank’s compliance function more expedient, effective, and efficient, while eliminating manual, error-prone tasks. Over half of the respondents to a recent Accenture study say that they are using advanced technologies to strengthen their compliance function with a focus on building a more agile foundation of automated processes and cloud-based technologies. Respondents reported that leading practices now include adding/upskilling compliance tech personnel and operations and leveraging artificial intelligence (AI) and machine learning (ML) for compliance mapping, testing, and monitoring.¹