The cost of compliance is a perennial topic. HSBC is not alone in having years when compliance costs have climbed as profits fell. In one quarter alone of 2017 regulatory compliance costs rose by 12% to GBP 620 million. Part of that was the hire of an additional 1,800 compliance staff, on top of an existing 6,000 people. Admittedly at the time HSBC was still under a DPA, but even before that time compliance was contributing increasingly to operating costs.
In a recent report Lexis Nexis, using research by Oxford Economics, put some of the costs faced by Financial Institutions in the UK into sharper focus. It was estimated that GBP 28.7 billion was spent on Financial Crime Compliance alone in the UK in 2020, and this is expected to rise to GBP 30 billion per annum by 2023.
To put this in perspective the UK’s NCA (National Crime Agency) estimates the cost to the UK of serious and organised crime to be GBP 37 billion per annum, and the latest UK defence budget was GBP 53.3 billion. The average cost of compliance for smaller financial institutions in the UK was GBP 185 million per annum, with the larger institutions clocking-up GBP 300 million per annum on average. Worst of all the current 5.4% annual increase is expected to accelerate to 10% over the next three years.
The study estimated more than half of these costs were associated with onboarding due diligence, including ancillary functions such as name screening, ongoing due diligence, and risk assessments. Screening and ongoing monitoring on their own were said to take up 20% of FCC budgets.
People have been estimated to be the largest cost component, sucking up at least 55% of budgets. Technology comes a distant second, absorbing only 25% of FCC budgets. Training is the last big item, being responsible for 15% of the overall spend.
The top drivers for cost escalations were cited (in order of severity) as being increased regulation, evolving criminal threats, increased data privacy requirements, higher customer expectations, and accumulating geo-political risk.
When asked what could be done about such costs the largest portion of respondents thought there was scope for improvement in the areas of name screening, identity checking and authentication, ongoing monitoring of customer relationships, and alert decisioning and investigation.
Many of these issues are problems that have occupied compliance managers since FCC began. The fact that we are still talking about them today is probably down to the fact that none of the challenges is static. Most of the issues compliance and risk managers face simply out-grow the solutions, and continually upgrading the solutions gets more expensive.
Nowadays, compliance managers are turning more and more to technology to beat this vicious cycle. Technology is expected to simplify compliance tasks and drive costs down, but at the same time it needs to process more data, perform more functions, and deliver better quality than ever before. In other words managers are seeking increased productivity at the same time as better outcomes.
From a due diligence perspective technology is a must. We need tools to find data that is important to us, to pull that data into our own systems, then to filter data the way we want it. We need tools for overcoming language barriers, tools for screening names efficiently, tools for screening unstructured data (particularly with respect to transactions), tools for dynamic profiling, tools for performing risk assessments, and tools for managing processes. The list goes on.
Thus any compliance plan that does not put technology at the forefront of its strategic vision, is going to fail horribly.
But there are serious caveats. How technology is implemented is just as important as important as what is implemented.
Technology not inherently a cost saver. It has to be built that way, and implemented to optimize. Nearly always the business case for a technology solution is that it will do more, and better. The likelihood is the solution will do more and better, but in so doing it will create more work. Productivity may go up, and unit costs down, but processing more and better is ultimately going to cost more than the present.
Organizations, however, have no choice but to get on the treadmill of never-ending improvements – of which managing costs is a necessary component. Unfortunately the tendency thus far has been for wild swings of the pendulum between budgetary famine and feast – with risk and compliance budgets rising and falling according to the prevailing mood. Coherent long-term cost plans are harder than they sound.
Big tech solutions carry big risks for cost planners. The compliance world is littered with the expensive sub-optimal. Even when the resulting solution is good, the organization may find it has baked-in outsized and inescapable costs for the future, not least of which will be maintenance and end-of-life costs. Relying on external providers can sometimes be the equivalent of putting the corporate head into the jaws of the lion. Being in control of IT costs is often a delusion.
Algorithms and AI are often seen as ways to reduce the costs of human intervention (particularly with respect to false positives). Getting to the point where meaningful cost savings can be made, however, can be challenging, especially as AI tends to be data hungry, and it is a fussy eater, wanting only reliable data and precedents. Moreover, regulators don’t like black box decisions. When things go wrong, which is inevitable, understanding why can be a costly exercise in itself, not to mention the cost of fixing the problem.
Assessing the actual costs and benefits of technology is notoriously difficult. Calculating cost avoidance is something of a black art, and getting projects past the C Suite often requires accounting wheezes designed to obfuscate. Wheezes such as shuffling or downplaying maintenance costs, overplaying benefits, understating risks, spreading capex and opex costs across unsuspecting departments, hiding integration costs in existing budgets, and omitting retirement and replacement costs, all make it impossible to know for sure whether the organization is saving money, or merely spending more because it has to.
Neither are IT costs just IT costs. Without commensurate investments in people, products, processes, and regulatory interaction, no amount of upgrading IT is going to meet compliance objectives.
Lastly, excessive automation can undermine values, which at the end of the day are priceless. Value judgements, as we all know, are best left to humans. Putting too much decision making in the hands of a machine can, in effect, make technology rather than humans arbiters of corporate and compliance culture. Most organisations are not there yet, as they are sill grappling with fundamental problems (such as excessive false positives), but be vigilant – culture is invariably at the root of corporate failings.
The author leads TSG’s Advisory Services. He has spent many years in law enforcement and banking specialising in financial crime risk and compliance. TSG is a Research (including due diligence) specialist, also offering Ethics Compliance and Advisory services to its clients. TSG offers expertise in Eastern Europe, as well as East Asia.