The accelerating pace of regulatory change
Regulatory environments globally are becoming increasingly complex – 300+ million pages of regulatory documents will be published by 2020 and 600+ legislative initiatives need to be cataloged by a medium-sized, sell-side institution to have a holistic view of their rule book.
Global financial institutions must diligently monitor and implement change in three regulatory clusters: financial stability, prudent operations, and resolution. The flood of revisions averages 200 per day – three times the rate in 2011. The Cost of Compliance 2018 Report found that 66% of firms expect the cost of senior compliance staff to increase, up from 60% in 2017. Nearly two-thirds (61%) of firms expect the total compliance budget to be slightly or significantly more over the next year – another increase from last year (53%).
Globally, banks are spending more than $270 billion a year on compliance and regulatory obligations, having on average 10–15% of their staff dedicated to compliance.
Overall, compliance costs for financial institutions amount to substantial parts of total expenses, with a negative correlation between the size of the institution and the percentage of total costs. For banks with assets ranging from $1 billion to $10 billion, total compliance costs are averaging at 2.9% of their non-interest expenses; for banks with less than $100 million in assets, the costs averaging at 8.7% of their non-interest expenses. For some banks, it takes up to $4 billion a year to cover demands ranging from checks to prevent money laundering, to requirements to give more data to regulators for stress tests. By 2018, The Dodd–Frank Wall Street Reform and Consumer Protection Act had already cost banks $36 billion with MiFID II costing €2.5 billion.
By 2021, regulatory costs are expected to rise from 4% to 10% of revenue, driven primarily by the sheer volume of regulations – each week sees an average of 45 new regulatory-related documents issued. The impact of this change on information governance in a financial institution is profound across all stages – data collection, data processing, data sharing, and data security.
The pressure of enforcement
As regulatory environments globally become increasingly complex, strict enforcement of new and updated guidelines leads to a highly prohibitive cost of even the simplest misstep, not mentioning misconduct. The estimates suggest that the cumulative penalties imposed since 2009 rose to $345 billion by the end of 2017, which is an increase of $22 billion from the cumulative total at the end of 2016. About 54% of compliance and risk practitioners are expecting personal liability to go up in the next year.
Financial risks alone associated with failure to adequately address regulatory requirements called for a change in the way financial services firms manage their compliance obligations and practices. Rob Fulcher, a recognized professional with 20+ years in the compliance and risk industry, explains the need for progression from manual data governance to sophisticated automation, leveraging technology made available by RegTechs.
"There is a huge responsibility now on the shoulders of regulatory professionals to stay up-to-date with regulatory change, be it proposed, upcoming or effective, and ensure their organization stays compliant. Pre-2008, it was an easier task for compliance, and certainly an easier task to accomplish manually. With less regulation, less volume of change, and less expectation from regulators, firms could afford to manually monitor regulators' websites and publications to review the change and determine applicability. Typically, the change was recorded in spreadsheets and distributed to stakeholders for review of policies, controls, and risk – a clunky workflow but commonly used during a time of less regulatory scrutiny. However, after uncovering the regulatory failures of 2008, a tsunami of new regulations flooded the industry and very quickly the volume surpassed the individual or team capacity of monitoring change manually, as well as the limitations of static spreadsheets. Of course, it's also difficult to retrospectively present a good audit trail for the steps compliance took when using spreadsheets and outlook.
I think it's fair to say that compliance and risk professionals initially suffered because of a lack of information, service, and dedicated solutions to help support their challenge, but with the emergence of purpose-built RegTech firms over the last five years and a better understanding of how to properly leverage AI, machine learning, and natural language processing within compliance, there are now excellent options available to the market, helping to improve operational and commercial efficiencies. Importantly, this use of technology helps to free-up compliance from the laborious task of scouring regulatory websites and instead, allows them to take on more high-value tasks, such as implementing change.
In short, I think it's become very evident in 2019 that technology is playing a critical and influential role in effective compliance management. I believe we'll see this trend and dependence continue to grow in the years to come." – Rob Fulcher, CUBE
Since 2008, many of the largest financial institutions increased their compliance staff 10X, yet are still consistently falling foul of the regulators, incurring fines. However, analysts today spend 90% of their time only on data collection and organization, and only 10% on data analysis – an archaic disparity in talent and intelligence allocation, leading to mistakes.
"Traditional compliance and fraud prevention programs are built on four-eyes principles, management oversight, and sign-offs. Add that to occasional, often inconsistent audits and the resulting systems fall short of meeting these new challenges. They are simply too slow, too ineffective, and too expensive." – How digitization is strengthening compliance and anti-fraud programs by Carolina Macri, EY, and Tomás Kong, SAP
Fulcher explains that while a number of large global banks have significantly increased the size of their compliance teams, manual processes are not scalable and sustainable anymore – banks can only go so far with throwing more people at a problem before they really need to automate the processes to make them more efficient.
"If you look at the patterns in 2008, it was very reactive. Financial institutions increased their compliance costs and increased their compliance resources, but the volume of regulations just kept on coming, and you can't just keep throwing people at the problem – that in itself introduces risks and inefficiencies. With technology, you can improve operational and commercial efficiencies." – Rob Fulcher, CUBE
How banks can effectively manage regulatory changes
Over a decade later, it's clear that manual processes are not only expensive and slow, but unable to provide the degree of regulatory intelligence required to tell organizations which regulations are relevant to their business, and how to avoid compliance gaps. If manual processes were effective, enforcement fines would not have exceeded $321 billion in the last five years.
Ensuring compliance in a highly dynamic environment of banking regulation led to almost 15% of the sector's workforce being deployed in governance, risk management, and compliance functions. To enable institutions to effectively address ever-increasing regulatory complexity, technology companies developed tools to address the need for automation in the GRC function.
Meanwhile, investments in regulatory software can lead to an ROI of 600% or even more with a payback period of fewer than three years. Today, there are 770+ RegTech startups operating around the world, 70+ of which are offering some of the most critical solutions for managing regulatory change – governance and regulatory reporting platforms.
One of the first-founded RegTech companies to recognize how extensive and voluminous regulatory requirements would become is CUBE. The company offers an enterprise-scale platform that operates throughout the compliance lifecycle to continuously monitor regulatory change, alert compliance and risk practitioners of the changes that impact the business, and enable rapid remediation to reduce compliance risk.
Currently, 1.5 million in staff in 180 countries are consuming regulatory intelligence and managing regulatory change initiatives that are powered by CUBE. The platform delivers value to regulated financial institutions based on a four-step methodology from monitoring compliance status and managing regulatory change.
The 4-step methodology allows institutions to not only capture the regulatory change but provides the regulatory intelligence and analytical capabilities to understand the impact of regulatory change on a particular business.
CUBE is the only RegTech company to deliver a fully automated regulatory intelligence and change platform that spans the entire end-to-end compliance lifecycle, across all jurisdictions, lines of business, and product types.
Financial institutions are utilizing CUBE to automate the regulatory change management process typically to replace complex, interwoven manual processes that are time-consuming, costly, and reactive. Since CUBE's customers operate in up to 180 jurisdictions, it requires a team of highly-qualified regulatory professionals of a substantial size to manually identify relevant regulatory changes, the applicability, as well as the associated policies and controls impacted by the change.
A typical CUBE customer is heavily regulated, often by multiple regulators, which requires them to have adequately proportionate teams of highly skilled regulatory professionals responsible for managing regulatory change. With the accelerating pace of regulatory change and the pressure of enforcement institutions face today, risks associated with manual management of important announcements are too high.
One of CUBE's clients, a global investment bank headquartered in the US, employed a team of 20 highly qualified regulatory professionals to monitor all of their global regulators' websites in approximately 70 jurisdictions which they do business in. This team was responsible for first identifying changes, then determining if those changes were applicable. Regulatory events that were deemed applicable were collected in spreadsheets and distributed to the relevant lines of business for review of impact. Further review was then completed to determine the risk, policies, controls impacted by the regulatory event/change and whether any action was required. The Regulatory Affairs team spent about three hours each day scouring regulators websites and publications.
By leveraging CUBE, the bank was able to automate the process of monitoring relevant regulatory changes and announcements. Lines of business and owners were automatically alerted to the change, as well as the associated policies and controls which were impacted by the change.
As a CUBE customer, the bank was able to redeploy the team to manage more high-value tasks, such as implementing and managing change to business processes and practices. The redeployment of the team to perform higher skilled tasks lead to a substantial ROI for the bank.
"Regulatory compliance is mission-critical, and no bank can afford to get it wrong. The financial impact is pervasive. Failure to perform results in crippling enforcement fines, damaged reputation, lost customers & revenues, and depressed stock values. The most effective damage limitation strategy is to leverage cognitive technologies to manage regulatory change at enterprise scale, and to view life as a three-way partnership between your financial institution, your RegTech provider and the regulators." – RegTech 2019 – What's on the horizon?by Ben Richmond, Founder & CEO, CUBE