13 Jun GRC Institute: TAS Compliance Index Roundtable
At the recent round of the Compliance Index, regulators were being called on to reduce regulatory complexity.
This is the result of findings released by the ‘first-of-its-kind’ Inaugural Compliance index by TAS, financial services technology partner. The index was initiated in response to the capricious regulatory landscape that has little choice but to shift constantly to meet the risks and new technologies.
According to the inaugural Index findings, 76 per cent of companies are increasing their spending on compliance year-on-year, with over half adopting cloud-based technologies and solutions. There was also a call for regulators to collaborate more with regulatory technology.
These findings were announced less than a week after the Australian Securities and Investments Commission (ASIC) released a consultation paper on fintech and RegTech.
Lately, there has been a lot of emphasis on Regtech as an effective tool to help organisations keep abreast of the changing regulatory framework. Further to this, the new Regtech Association was launched a few months ago, providing an opportunity for those in the RegTech space to connect with those in business. It is part of the Association’s mandate to help direct businesses to those products best ‘fit-for-purpose’ for their particular issues.
Compliance Index Roundtable
Interestingly, the Compliance Index Roundtable did not wholly focus on its findings, but served as space for those in the compliance and risk management space to address the relationship between regulator and business—namely, the opportunity to be both partner and regulator.
This is pertinent, since Australian Transaction and Analysis Reporting Centre (AUSTRAC) has been pushing the Fintel Alliance as an opportunity to breach the barriers of that traditional relationship between regulator and business.
“As technology costs fall and capability increases, there is a unique opportunity to help established institutions innovate by partnering with Fintechs and RegTechs,” said Madeleine Mattera, Head of Finance Services at Grant Thornton. “Increasingly, data and technology will be used to supervise regulated institutions and will shed light on regulation complexities.”
At the roundtable, moderated by Kris Peach, CEO and Chair of the Australian Accounting Standards Board (AASB), discussion went even beyond the call of regulatory complexity, but also challenged the opacity of regulation, as well as the updates organisations must absorb into their own risk and compliance processes.
At the same roundtable, Annemie Pelletier, Risk Officer for Real Cover, called for more clarity and less inconsistency from the regulatory updates.
The challenge for regulators is that they may not be adequately resourced. Speaking in the context of AUSTRAC, Anthony Quin, Founder of Artic Intelligence and Co-Founder of AML Accelerate, said the Financial Intelligence Unit (FIU) had about 260 staff and about 14000 regulated entities.
However, there has been some action on the part of regulators to be as nimble as fintechs. With regards again to AUSTRAC, it is their smart regulation platform and the use of the Fintel Alliance that enables them to share critical information.
“They are under international pressure by the Financial Action Task Force (FATF) to expand that to a whole range of new industries, and that is going to drive that up to 100 000,” Quin said “So, you have a regulator who is in that environment, but how do they operate effectively?”
ASIC have also been talking about supervisory technology or suptech, which would offer tech-based solutions for an under-resourced and understaffed regulator.
Could the cost of compliance be self-imposed?
At last year’s GRC2016 Conference, Matthew Saines suggested in his presentation that organisations can sometimes create their own compliance burden as a result of how they approach regulation.
Twenty-five percent of internal processes, he noted, are created in response to external regulation that does not serve an obvious, internal purpose.
Is compliance—the cost of doing business—increased?
“I don’t necessarily see the cost increasing,” Michael Vainausakas, Chief Risk Officer and General Risk Manage of Risk and Internal Audit at Perpetual, said. “What I am seeing over the years—and I don’t know what the inflection point is that the cost has risen over period of time—but it seems to be relatively stable. If you look across the financial services industry, which is quite diverse, there is always something new coming though.”
Vainausakas added that, when the Dodd-Frank Act was being introduced, consensus was that the financial markets had reached a new regulatory norm.
“From our perspective, it is the cost of doing business. You just have to make sure that you are staffed appropriately.”
Compliance and risk management operating as silos
The conversation shifted from the cost of compliance to how risk management and compliance should be integrated into the business. Is it the responsibility of the regulator or the organisation to determine this structure?
“What I have observed in some companies is that compliance and risk management are operating, basically, as silos and almost don’t talk to each other,” Pelletier said. “In some organisations, you have risk management and compliance as part of risk management, and in others, it is the other way round. And I think that, in the name of consistency, is why nobody knows how it fits together. There is no consensus on whether compliance is a risk and should be under risk management, or whether risk management should be a compliance issue.”
Integrated and at the same level
Jacqui Scully, Group Compliance Manager from ClearView Wealth, thought that the consensus about whether one function is a subset of another is not really not that important; rather, it is up to the organisation.
“It is definitely dependent on the scale and size of the organisation, and the complexity and what products they offer,” she said. “I don’t think that you can be prescriptive and say ‘this the way it always works’, because it may not work that way everywhere.”
She said that, in her relatively small organisation, compliance and risk management sit side-by-side.
“We sit together and talk together, and if something new is coming in, we look at it together. I think, traditionally, you would say risk is being forward-looking: ‘what are we going to do to prevent things from going wrong? Compliance, traditionally, is more about being: ‘okay, it’s now after the event; what went wrong, or tick a box; what has been going right?’ I think the challenge is to bring both sides closer together.
Compliance isn’t just for ‘after the event’—it actually involves getting in at the beginning of the process as well.”
However, Elizabeth Sheedy, Associate Professor for the Department of Applied Finance and Actuarial Studies, said she believes compliance should always be a subset of risk management.
“What is an effective risk culture?” she asked. “To me, it is compliance, plus a whole lot more. Compliance is a really funny word because it brings up thoughts of merely being ‘compliant’. What we really want, however, is not mere compliance, but thoughtful engagement with a risk management system. We don’t have a system where a firm is doing the bare minimum to meet regulatory requirements. I think that most people agree that if you have a mature risk management system, people will see risk management as part of the best way of doing business.”
Risk management and compliance have to be integrated
Michael Vainausakas said that risk management does need to be integrated but it doesn’t necessarily have to be part of one business or the other. Is the breaking down of risk management and compliance really just another conversation about culture?
According to Karen Malzard, Superannuation and Insurance Head of Risk at ANZ, “What we have experienced is more of those phone calls about ‘we’re thinking about this, what do you reckon?’ Even today, I got called into something and someone is going ‘oh, we’re thinking about making this change, what do you guys think?’ and it was both myself, from risk, and our frontline compliance professional there, and I think that’s the cultural change that we need to see.”
Malzard goes further than both Vainausakas and Scully in that she is looking, not only at the importance of that integration, but to see that the business understands the value proposition of this integrative approach and sees it as both forward-looking and preventative.
“This is where the culture has to change—that risk and compliance are not separate.” Risk and compliance, according to Malzard, is the cost of doing business.
“Part of the complexity we are facing at the moment is that a lot of the regulatory changes we are seeing—about spending money to change a system, about regulatory requirements—is little more than three lines in a piece of legislation stating you could be non-compliant. That tension comes when you are with the board and senior management, and you are going, ‘I need X amount of dollars to change the system to comply with this piece of legislation,’ and then you have to answer the question ‘why?’”
It is not always easy to trace the consequences of failing to comply with a particular piece of regulation.
One thing remains clear: both the Index findings and the roundtable guests showed that many critical issues remain when it comes to organisations trying to figure out whether those issues lie within their own organisations, or with their relationships with regulators.
While organisations do not want regulators to become overly prescriptive, there has been a general call for clarity when it comes to updates and new regulation.