By Shafiq Mazlan, CMO
A firm’s compliance cost is the total expenditure incurred in adhering to government and industry regulations or legislation. This can include the salaries of compliance officers, spending on reporting, software or platforms to manage compliance, or just about any ongoing expenditure for conforming to regulations. Typically, the cost of compliance is directly proportional to the level of regulations in an industry or country, put in place by local and international regulations. The more jurisdictions a company operates in, the higher the compliance costs as well.
Today, complying with ever-changing regulatory laws is not only difficult, but increasingly costly as well. Companies operating in different geographical locations face differing regulations. The U.S. checks the sum total of a firm’s operations to monitor compliance with AML and anti-terrorism legislation, while in Europe, all companies selling goods and services are required full compliance with the stringent General Data Protection Regulation (GDPR), hence increasing compliance costs from appointing data protection officers (DPOs) to overlook implementation of regulations and privacy measures.
The Rising Cost of Compliance
Over the last 8 years, the cost of compliance and risk mitigation has consumed almost all discretionary funding available to firms. Ever since the financial crisis, operating costs on compliance have increased by over 60% for retail and corporate banks.
With the rising cost of compliance comes many other changes as well, in the areas of regulatory, technology, and role changes to name a few.
With regulatory compliance increasingly becoming a complex function requiring cross-functional effort, it is no longer just the sole responsibility of the compliance officer or chief risk officer. Chief experience officers (CXO) have other roles that are crucial to the planning and establishment of regulatory compliance.
Senior Compliance Resources
In the recent Thomson Reuters’ Cost of Compliance report, the general consensus from respondent firms for the upcoming year is that the cost of senior compliance specialists will either rise or remain the same at the high costs the industry currently commands (97%). Having been consistent for the past 6 years and in correspondence with the expectations of rising budgets, the survey this year shows results that most companies expect the cost of senior compliance staff to continue rising slowly (50%), a consistent expectation throughout the world. Similarly, in correspondence with budget expectations, some signs point to the ever-incremental compensation for senior compliance staff since the financial crisis having reached a peak, and for the first time in 6 years, the largest percentage of respondents have reported that they expect costs to stay flat (37%).
The involvement of compliance officers is required in overlooking all significant outsourcing arrangements, especially when compliance – also outsourced – is involved. For outsourcing to be cost-effective and efficient in supplementing in-house resources, it must be executed appropriately to be beneficial. The basis for successful outsourcing is that while activities can be transferred to a different group, organisation, or third party, the managerial skills for those activities must remain in-house. In an intra-department outsourcing scenario it may be less prevalent, but for a separate legal entity with a separate license, it is crucial. Similarly, a branched or structured firm would also need to analyse the effectiveness of the outsourcing arrangements and the skills, governance and local responsibilities of the branch.
Mismanagement of Board Agenda
The authors of the survey also found that regulatory matters, which include correcting non-compliance, avoiding more sanctions, and establishing structural changes to obey new rules, are taking up “disproportionate amounts” of board agendas.
The survey also exposed the lack of coordination in how control functions interact and are aligned. For example, approximately half of compliance staff spend less than an hour with legal, internal audit and risk functions to discuss compliance matters.
To address these issues, the board has to continue to support compliance teams and senior leadership with the budget and resources to instill a culture of trust and transparency. As advised by the authors, "The pendulum needs to begin to swing back at least in part toward the business itself to allow for business improvement and development, rather than having all change capacity and capability taken up by regulatory issues".
However, they added that this does not mean the board should stop focus on regulatory compliance matters, but rather to maintain balance between those matters and managing the business.
Another issue faced in compliance is the threat of technology, specifically from cybercrime and IT risks. IT risks are multi-faceted and should not be solely undertaken by the IT department. The authors mentioned, "Compliance functions need to be engaged in the consideration of risks to the business (and by association the potential effect on their customers) from an attack on the wider financial services infrastructure, as well as the implications of a direct attack on the firms themselves".
Due to the rising compliance costs, many firms are resorting to large enterprise-level systems to reduce the number of dedicated compliance specialists needed such as DPOs. However, the trends that created these systems, such as big data analysis, became a double-edged sword in helping regulatory bodies with the further discovery of non-compliance.
The Cost of Non-Compliance
On the topic of non-compliance, recent episodes of compliance infringements have shed light on the monumental amount of fines being rolled out for non-compliance and data breaches. A simple comparison between non-compliance fines in Singapore, the EU, and the United States demonstrates that the cost of non-compliance can be greater than the already rising above-mentioned compliance costs, which comes as no surprise.
For non-compliance with the PDPA (Personal Data Protection Act), the Personal Data Protection Commission (PDPC) may issue regulatory fines of up to S$1,000,000 (approx. US$700,000) for infringements. The PDPA also imposes criminal sanctions, including fines of up to S$100,000 (approx. US$70,000) and one-year imprisonment. In calculating a financial penalty, the PDPC has a non-exhaustive list of aggravating and mitigating factors that it may consider.
The GDPR, which will come into effect on 25 May 2018, will impose fines of up to €20 million, or 4% of the total annual revenue of companies who breach data protection regulations. A research by Oliver Wyman shows that fines of up to £5 billion annually could be faced by FTSE 100 companies if they do not comply with the GDPR. This figure was obtained by identifying prominent FTSE 100 companies which have incurred a known data breach over the last 5 years. It used financial reporting figures from 2015 and applied the 4% of annual revenue fine to obtain a total of £25 billion, or £5 billion annually.
“For the most serious violations of the law, my office will have the power to fine companies up to 20 Million Euros or 4% of a company’s total annual worldwide turnover for the preceding year.” Elizabeth Denham, UK Information Commissioner at the Information Commissioner’s Office. Speech – “GDPR and Accountability” at the Institute of Chartered Accountants in England and Wales.
For non-compliance with data protection laws, the Federal Trade Commission (FTC) Act can impose fines of up to US$16,000 per offence. Additionally, the offender can face up to ten years imprisonment and up to US$500,000 of fines (for individual offenders) and US$1 million (for a company) if such offences are committed or attempted while violating another US law or as part of an illegal activity involving more than US$100,000 in a year. The FTC can also obtain an injunction, restitution to customers, and repayment of investigation and prosecution costs. Criminal penalties include up to ten years imprisonment.
In 2006, ChoicePoint paid US$15 million to settle charges by the FTC of inadequately protecting the data of millions of consumers. Settlements with government organisations can also include cumbersome reporting requirements, audits, and third-party monitoring. A major retailer that settled charges of inadequate protection of customer's credit card numbers agreed to allow a 20-year comprehensive audit of its data security system.
Current Costs of Compliance Solutions
While many compliance staff have focused on traditional cost-effective ways to lower the expenditure of meeting regulatory compliance and have gained some relief, many are now looking towards emerging technology for greater improvements.
What are the costs of implementing current compliance software then? A quick look at Resolver, a popular compliance solution software, charges $26,150 per year for their enterprise pricing plan.
Another popular GRC (governance, risk management and compliance) software, from LogicManager, charges $30,000 annually for their “standard” pricing plan.
Again, the high costs come as no surprise as the regulatory/compliance industry (or arguably lack thereof) is one that is growing, and GRC firms are cashing in on the GDPR epidemic through increased sales of their pricey solutions.
The Rise of RegTech
As the cost and change of compliance rise exponentially, the pressure is increasingly growing on finance departments of companies to find the teetering balance between managing compliance, staffing, and operations expenditure.
Current infrastructure is struggling to keep up with regulatory compliance, with new regulatory requirements becoming more technical and data-centric. The legacy code that current infrastructure is built on is difficult to replace and incapable of keeping up with the technical requirements expected by regulators.
The advent of this regulatory fatigue has brought about the growth of the Regulatory Technology (RegTech) industry. RegTech is broadly defined as any technology/software that is created to address regulatory issues, helping firms understand regulatory requirements and be compliant.
Now a $100-Billion market, more firms are leveraging RegTech solutions for cost-effective and scalable alternatives in efforts of slashing current expenditure. One of these solutions is Regit; a compliant consent-based platform that simplifies and automates the exchange and updates of information between businesses and their customers. Regit only charges a mere $3600 per year for their “heavy” price plan.
Through digitisation and streamlining, many RegTech solutions today bring about efficiency to workflows. New and upcoming RegTech solutions are also increasingly leveraging AI and machine learning, natural language processing, and blockchain to significantly reduce the need for existing manual processes and human intervention.
RegTech is increasingly playing an important role. The value of efficiency and automation are coveted by firms, more of which are switching to a proactive approach to regulatory analysis and response. This will in turn strengthen oversight function roles within the business and improve operations. In the near future, RegTech could completely automate current policies and procedures of regulatory compliance, or even reduce the need for human intervention for regulators themselves.