When Best of Breed Financial Crime and Compliance “Point Solutions” Aren’t Enough

Ranging from libor rate fixing to product miss-selling, 2012 was without doubt a busy year for regulators the world over. Certainly a look at recent regulatory enforcements highlights the complexity and difficulty involved in running a financial services company, while keeping it compliant and within the law. Plus avoiding the high costs from a financial and reputational perspective if it all goes wrong!

For example, according to reports in the press there was a record £312m in fines handed down by the UK Financial Services Authority in 2012, with many cases focusing specifically on failures in the company’s  systems and controls. These levels of enforcements were more than matched in the US, where in 2012 the SEC brought 734 enforcement actions, just one case below the record 735 seen in 2011 and obtained orders requiring the payment of more than $3 billion in penalties and “disgorgement for the benefit of harmed investors” which represents an 11% increase over the amount ordered in 2011.

Regulators are certainly becoming more demanding and intrusive and not afraid of handing out the big fines!

So what can companies do to avoid becoming another regulatory statistic and help strengthen their internal control framework and defences against nefarious criminals, incompetent employees or simply bad luck? A complete “root and branch” review and senior management shakeup, followed by new people, policies and procedures? New, more, or just different financial crime detection, monitoring and reporting systems?

There is clearly no definitive right or wrong answer as each organization is different, but what has become increasingly clear is that even when companies have implemented single, or even multiple financial crime solutions, those who are sufficiently motivated and able to do so have been able to work around the automated checks and controls.

For example, simple “wire stripping” allowed the payments team of one bank to circumnavigate their automated payments screening solution and breach Anti Money Laundering (AML) sanctions controls that resulted in large fines and reputational damage to the bank. This risk massively increases when there are just spreadsheet based controls or paper based end of day checklists.

Over the past five or six years, financial institutions globally have made substantial investments in trading/broker and AML compliance and fraud prevention measures. However, typically, these solutions, systems or reporting mechanisms have been implemented in a silo'd fashion, specific to a line of business or channel that holds the budget at that time. The result remains a significant exposure for the company, since most criminal schemes cross channels, products and lines of business. Plus this does not protect the company from events such as the significant reputational damage that comes from an “IT glitch” that brings a bank’s systems to a complete standstill, with retail and business customers unable to access funds.

It is in this environment that we are seeing more interest than ever before in Governance, Risk and Compliance (GRC) solutions as companies, sometimes under regulatory and business pressures, seek a better way to identify and manage the variety of potential and existing internal weaknesses and external threats that can lead to operational risk, losses or regulatory censure or fines.

It is becoming widely recognised that even having best of breed financial crime detection, reporting and monitoring solutions is just one part of the story.

There is a need, perhaps now more than ever under the watchful eyes of more demanding regulators and shareholders, to provide an in-depth level of insight across the enterprise and to effectively identify, monitor, and manage risks and controls across lines of business and processes. This level of insight is required to give stakeholders the confidence that the company is performing in line with stated business and regulatory objectives - not only profitability but also from reputational standpoint. 

In particular, financial institutions increasingly want to verify and confirm that:

• Risks and controls are identified, regularly tested and assessed in a systematic and consistent fashion
  
• Corporate governance and local regulatory rules are being followed
  
• Employees understand and adhere to corporate objectives
  
• Potential noncompliance and underperformance issues are identified and rectified
  
• Operational risk exposures are in step with corporate risk appetite
  
• Detailed issues and corrective action plans are in place and their implementation is monitored
  
• Investments in existing financial crime and compliance solutions can be integrated into an operational risk framework
  
• Knowledge is retained as a basis for confirming good governance, strong risk mitigation and effective controls no matter what changes take place to the company’s people, processes and systems!
  
• The appropriate amount of capital needed for operational risk is being captured and understood and that the exposures are being managed to ultimately reduce this sum.

We believe that it is only when individual financial crime, risk and compliance systems come together on a truly unified common data platform and under a robust Operational Risk and Governance and Compliance Management umbrella do companies truly get the required level of insight to consistently make the right “risk based” decisions that keep the company moving forward.

What do you think? I would love to hear your views on this topic.