By: Jim Wistman, MBA
Dateline: 21-July-2010 

Today, the President signed landmark legislation that reshapes the financial landscape. This article does not attempt to summarize this monumental act; instead, we take this occasion to take a “long view” on the central megatrend in Compliance Risk Management: the costs of operating an effective compliance risk management program continue to rise. 

The rising cost of operating a compliance function is outpaced only by the costs of noncompliance: the pace of enforcement actions has surged, and the size of fines has risen exponentially. The most recent example is the settlement reached between the SEC and Goldman Sachs of over ½ billion dollars. That settlement follows on the heels of similarly supersized outcomes for OFAC violations at Credit Suisse and Lloyds. No one should think this trend is over, and no one should think it is limited to the New York marketplace; there are many rumors of additional OFAC and Justice Department pending cases that simply have yet to work their way through all the legal channels. Additional actions by the Federal Reserve or other banking regulators, or CFTC, are entirely possible, not to mention the enforcement powers of state-level banking departments and attorneys general, etc. 

To take the long view on this trend in compliance risk management, the best place to begin may well be either (i) the transcripts of the Ferdinand Pecorra investigations all the way back in the day of the Great Depression (which led to the passage of Glass-Steagall and separation of banking and investment banking), or (ii) the issuance by the Federal Reserve System of a Supervisory Letter known as “SR 96-14, Risk-focused Safety and Soundness Examinations and Inspections.”

The latter went by the nickname of “The Prescription for Risk-based Supervision in the 21st Century,” or “Rx 21.” Yes, it was in the mid-1990’s (before the passage of the Gramm Leach Bliley Act) that the Federal Reserve started to roll-out risk-based examinations, and it was a very significant moment;  the Rx21 initiative began the process of compelling banks to “internalize” the ongoing costs of Governance, Compliance, and Controls (i.e., to affirmatively evidence ongoing compliance).  From the mid 1990’s to today, regulators have increasingly pressured financial institutions for in-house resources which come at the expense of the shareholders and/or customers.

Having served as the U.S. Compliance Officer for five of the worlds largest banks (U.S., British (2), German, and Asian), I have had the privilege of advising the boards of directors on how to manage this inevitable transition and “absorb” the inevitable costs not only in the U.S. but globally as well. The overriding “lesson learned” from these experiences is this:

The costs of noncompliance vastly outweigh the costs of implementing and maintaining a proper compliance program.  

The supersized fines of late seem to be designed to drive this point home.  Someone recently quipped at a conference: “They were always raising the bar, now they are raising the stakes.” These fines not only hit the bottom line in a “material” way, they also rock the stock price, and (worse) they may completely derail the bank’s plans for revenue growth until regulatory relations are repaired. Opportunities may pass you by while you are mending your fences with the regulators.

The second most important “lesson learned” is that the optimal approach to operating a fully effective compliance program is to manage a budget that blends internal and external resources. This is true no matter the size of the institution.

• For smaller firms, the CEO’s goal is to develop and retain one loyal Compliance Officer who can coordinate the program and control costs by “co-sourcing” as much as possible with (i) colleagues in other departments and (ii) external experts and vendors.
• For larger firms, the CEO’s goal is to develop and retain a cadre of highly capable compliance officers who are specialists in certain areas (e.g., mortgage origination, bond trading, compliance testing) and then support them with vendor-provided data feeds, alerts, etc. (e.g., sophisticated  software for anti-money laundering alerts, centralized training and registration requirements, etc., etc.). One, amongst this cadre of experts, is the Chief Compliance Officer, who may well be “the chief amongst chiefs” depending on the size of the business and complexity of its operating units.

The truth of the matter is that no compliance department can truly “go it alone.” One common mistake is to under-budget the compliance department and expects that one person will miraculously “take care of everything.” The other common mistake is to “overbuild” the compliance department and “pad” the department with excess staff, rather than “rent” resources on as needed basis by making smart use of vendors and consultants. Also, overbuilt departments tend to become too inwardly focused and lose sight of the industry trends and emerging best practices. Vendors and consultants bring in a steady flow of fresh ideas and best practices which may well result in cost savings.  For those who struggle to see how this model applies to managing a cost-effective compliance program, it may help to consider how IT specialists are used: very often the Chief Technology Officer commands a permanent staff that is few in number relative to the large numbers of temps-specialists who are retained to “get through” periods of “peak IT loads,” such as systems conversions, upgrades, etc.

At this historic juncture in compliance management, we recommend that every financial institution consider the lessons learned since Rx21 was launched: 

All firms should reflect on the rising costs of compliance, and consider carefully the costs-benefits of any hiring of additional permanent staff in response to the new legislation. 

Costs will surely rise even higher, and the hiring of additional staff may be a knee jerk reaction of some firms; firms should first consider the use of co-sourcing simply because that has proven to be the path that leads to the most cost-effective and sustainable programs over longer-term business cycles. 

Jim Wistman serves as the Director of New York for ICS Compliance.