Not since the 1930s has there been such of wave of regulatory actions. The difference this time-making the compliance challenge more pervasive-lies in what prompted the regulatory wave: the crisis of confidence following the dot-com bubble; growing terrorist and money laundering concerns; and the fear of criminal rings that are increaingly more sophisticated in pilfering sensitive customer data.
As a result, the past five years have been a perfect storm of regulatory burden. While some compliance requirements are well known and thus easier to manage, such as those in the Bank Secrecy Act, other areas, such as Fair Lending, continue to evolve, creating a never-ending source of dicey compliance issues. "It's a full time challenge for us," says Frank Giancola, evp and chief compliance officer of Interchange Bank in Saddle Brook, NJ. "Since 9/11 and the Patriot Act we've really stepped it up. We recognize the severity of noncompliance and the reputational and legal exposures."
Sarbanes-Oxley, The USA Patriot/Bank Secrecy Acts, Basel II and Fair Lending all present myriad compliance challenges that span the enterprise. It would be convenient if all these compliance issues could run through one person, such as a chief compliance officer, to make sure all compliance-related decisions are coordinated. This would benefit an institution in several ways. Coordinating system and service purchases could yield significant costs savings; coordinated compliance decisions could reduce the chance something falls through the cracks, and finally such coordination might improve business processes by leveraging the valuable data gleaned about customers for better marketing and pricing of products and services.
In reality, however, this level of coordination is largely a pipe dream. Even where chief compliance officers exist at larger banks, the scope of their responsibility is often remarkably narrow, many times just involving Fair Lending. Meanwhile, compliance issues related to SOX and the Patriot Act are divvied up in any manner of ways between chief financial officers, chief risk officers or the general counsel. Sources say the lack of coordination is more likely to impede better business performance, though, than lead to actual compliance violations.
The problem of disjointed decision-making is less severe at smaller financial institutions, which have less staff and a more streamlined compliance approach. Giancola describes a system of regular meetings at Interchange Bank meant to keep all the senior leadership in the compliance loop. There's weekly compliance committee meeting attended by HR, finance, and lending (both retail and commercial). There are also various subcommittees on different compliance legislation and regulation, such as the Patriot Act. There is a bi-weekly operational committee meeting to discuss risk across the enterprise, and there is also a recently formed corporate governance committee that examines regulatory changes and pending legislation.
In a nod to how broad the compliance landscape is, and how even relatively under-the-radar issues can have a big impact on banks, Giancola cited a recent change in New Jersey state law governing attorney-client trust accounts. The mandated interest on these accounts (know as IOLTA) went from 1 percent to 3.25 percent. For Interchange Bank, not only does the legislation further complicate its compliance management, it also translated into a $1.2 million hit to the bottom line. On the plus side, the whole process has brought a depth of knowledge to the whole management team around compliance issues, says Giancola, who also credits regulators for helping keep Interchange and other smaller banks on the right side of these issues.
Michelle Loghry, compliance officer at Centennial Bank in Ogden, UT, says her bank also has weekly meeting where compliance issues are voiced. The weekly strategic planning committee meeting is a forum where she can introduce any new regulations, guidelines and training issues to all the business lines-and she can get feedback from them. While the bank's size-$162 million in assets-and small tight-knit management make coordinating on compliance relatively easy ("We knock on each other's door almost daily."), she has also come to the conclusion that automation is a must, that the old manual procedures must be replaced.
And there's the rub for smaller institutions; while their size and flatter management structure means coordinating on compliance is easier than for larger institutions, they often have an IT handicap. They simply don't have the technology in place that would allow them to capitalize on their deeper customer knowledge and improve business performance. Those sorts of robust expensive technologies are more likely to be found at larger institutions, where compliance decisions are more decentralized.
If anything, however, larger financial institutions are overpaying for compliance-related IT, as well as the compliance functions across the enterprise, says French Caldwell, vp of research at Gartner. He says that mid-sized to larger banks have executives in charge of separate compliance initiatives-a SOX initiate, a Basel II initiative, etc. "This is suboptimal, and at some point you need to roll them together as an ongoing program. Separate programs just add costs. We estimate this separated approach adds 130 to 150 percent more to the cost of the compliance effort-and the technology portion costs 10 times as much."
That shouldn't be too surprising, he says, given the fact that multiple business units are buying their own technology, hiring their own consultants and consuming their own labor. Indeed, technology is a relatively small portion of the compliance waste, Caldwell says. It's the labor and consulting costs that really eat into the budgets.
"Only about 25 percent of banks and other financial institutions are trying to [roll their initiatives together], which is a shame because, in a way, it's an easy fix. You would have one overall compliance risk program instead of everyone doing their own thing," Caldwell says. What's more, overall complexity would be reduced and visibility would be increased. He estimates about 15 percent of the average bank's IT budget goes to compliance, with that figure rising to 30 percent in some cases.
Yet a healthy spend on IT is inevitable, says Guillermo Kopp, research director, financial services strategies and IT investments, TowerGroup. After all, for senior managers to make coordinated compliance decisions they must all be able to tie their particular analyses back to the same underlying financial transactions, "to that single source of truth," as he puts it; this underlying truth will inform their individual and then joint compliance decisions to create a more holistic compliance approach. "Once firms integrate risk and compliance platforms, they can link those platforms with business performance and customer value, which is the ultimate goal. Can you use that to do a bit of CRM? Why not? To address customer service needs? Of course. For relationship pricing? Yes."
The kind of tight senior management compliance coordination that will boost business performance might still be in the offing, but banks are making some improvements. For one, boards of directors are pushing bank managements toward coordination by their growing demands for closer compliance adherence. (After all, SOX puts them on the hook for violations.) "I believe they are talking to one another because it's a board of director's issue," says Kim Legelis, director, financial services industry solutions at Symantec Corp. "SOX put regulatory compliance one or two or three on the list of boards of directors' issues. They want compliance dashboards, and so that's one of managements' primary motivators. Lines within banks are coordinating across the institution."
Paul Johns, a vp of global marketing at Orchestria, a provider of email control solutions, says he's noticed a decided change in the way that decision-making occurs among his clients. He's talking to the same titles within an organization, but now the CCO has his own budget, he's not going cup in hand to IT. "It's become more about compliance and less about being an IT initiative," Johns says. As a result, he says, the decision-making chain is clearer and speedier. "The sales cycle has probably decreased 50 percent."
Another contributor to the lack of compliance coordination among senior management is the simple lack of expertise. Todd Cooper, evp and chief product officer at PCi Corporation, says the lack of qualified, experienced compliance people is a big issue. "When you have 7,000 banks it's not reasonable to expect all of them to have an AML expert in-house." PCi does offer CRA, AML and Fair Lending services on an outsourced basis-and not just to small fry. Citibank is a client of PCi, and a recently signed client (whom Cooper declined to name), has eight million credit card accounts.
Reaching outside the institution for compliance expertise is a decision that Daniel Tower, chief compliance officer at Northern State Bank in New Jersey, recently made. The de novo bank opened its doors January 30 and relies heavily on compliance consultants for board and staff training and just "to bounce things off of all the time," Tower says. Even with a small start-up staff, he knew that compliance could not be a chewing-gum-and-bailing-wire operation. "The BSA/AML issue is without a doubt our focus, because it is the focus of examiners. We were told in no uncertain terms by regulators that there is no margin for error."
