Should banks re-draw the barriers between lawyers, compliance officers and risk managers?
Naomi Bowman, Berkeley Research Group, MD, London, 13 April 2018
The last decade has seen a seismic shift in the way banks structure their legal, compliance and risk divisions. Now more than ever, these three functions are kept separate at large financial institutions, to the extent that so-called ‘silos’ have become normal.
The rise of this structure has largely stemmed from the evolution of the regulatory landscape. Over the past years, litigation and regulatory enforcement action (e.g. with respect to rate fixing, Ponzi schemes, anti-money laundering and sanctions, mortgage foreclosure related matters, interest rate swap and credit default swap litigation, etc.) have become more common and regulations have become more complex. This has led firms to rely much more on in-house and external lawyers and on compliance people with qualifications. The British Information Commissioner’s Office, for example, considers the European Union’s General Data Protection Regulation to be a ‘living document,’ to be edited and updated continually, and financial institutions will have to keep their staff constantly up-to-date with its evolving requirements as the goalposts shift.
Other regulations, such as the Financial Conduct Authority’s conduct-risk guidelines and its Senior Managers’ and Certification Regime or SM&CR, are based far more on judgment. Once again, organisations ought to employ suitably trained people to make informed decisions about how to comply. As a result of this shift in the regulatory environment, many banks have separated their legal, compliance and risk functions from each other, thereby dividing up the responsibilities of people whose task it is to respond to the high volume of litigation and regulation. This strategy seems to be pragmatic, but is it?
The different silos
In general, the legal function continues in its vital job of defending and protecting the organisation against against writs, prosecutions and indeed regulatory enforcement action. In some instances, legal and regulatory risk cannot help but overlap – for example where litigation takes over after the regulators have uncovered malpractice. Compliance and risk functions, on the other hand, are pivotal in identifying and offsetting regulatory and reputational risks.
Although the ‘siloed’ model works well at dividing up certain activities, it does not make a financial institution flexible enough to react to regulations well or make full use of the lessons it has learnt from all the litigation that might have affected various disparate parts of its group.
Lawyers are responsible for overseeing incredibly complex litigation matters, but they are not accountable for changing their organisations’ systems and controls to take stock of lessons. Ideally, the senior managers at their firm should keep asking them to make recommendations to their colleagues in the risk and compliance silos to change their systems and controls in order to reduce the likelihood of future regulatory enforcement or litigation. With the prevalence of the siloed structure, however, this is often difficult as each function inevitably has a slightly different strategy and contains people with different incentives and objectives.
The deficiencies of this approach to risk management have often gone unnoticed. Since the world’s financial crisis began in 2008, the number of multifaceted regulations which require responses from the legal, compliance and risk parts of firms has grown exponentially with introduction of regulation such as the US Foreign Account Tax Compliance Act 2010, the Basel III accounting standards, the EU’s second Markets in Financial Instruments Directive, the General Data Protection Regulation, etc.
Falling between three stools
Where separate silos exist, the responsibility for successful enterprise-wide implementation often has to sit with one of them exclusively. The choice depends on the regulation in question. However, there are countless instances where regulations overlap. An organisation that fails to make its legal, compliance and risk teams work together well runs the risk of duplicating efforts and draining it of resources needlessly.
Such a fragmented approach can also expose financial institutions to regulatory punishment. For example, each team might assume that the other has managed a certain element of the regulation, when neither actually has. Moreover, an under-resourced team might ignore a particular regulation entirely.
An alternative to confusion
Banks can eradicate such inefficiency by aligning their legal, compliance and risk functions to specific front-line divisions. For example, the private banking team at a global bank could have its own legal, compliance and risk team assigned to it and it might keep them separate from the legal, compliance and risk people assigned to other divisions of the bank. This could remove any potential for bad oversight and ensure that the right budgets go to the right projects.
As we have seen, the board of a bank often assigns the management of (and accountability for) compliance with a particular regulation to one function as opposed to two or three jointly. It should, instead, be more pragmatic in its approach to that regulation, perhaps by forming a task force that draws people from the legal, risk management, compliance, human resources and IT departments. Every function should have a nominated accountable individual and the governance body (which is as good a name as any to give this task force) as a whole should have a clearly articulated and consistent set of objectives, which should help it ensure that everyone is pulling in the same direction. It – and not a single department – could then allocate and manage resources and money wherever it saw fit.
Improvements in communication between departments can make this new structure more efficient still. This might ensure that meetings that the bank organises to discuss a new piece of regulation are attended by the right members of the right teams. Too often, the right decision makers are left out of these meetings. For example, discussions about the use of new regulatory software are likely to be futile without the participation of the IT department.
Smarter pay packets, smarter software, smarter management
As we have said, the ‘siloed’ model unintentionally creates conditions in which people are only motivated to operate and collaborate with people who work in their own silos. Each bank should therefore ‘incentivise’ people in its different divisions to collaborate with one another. It should adjust their pay to reward them for the right behaviour, in the same way that it pays them for outstanding performance.
The advent of new technology can also lead to more collaboration and understanding between legal, compliance and risk management teams by providing them all with access to the same information. However, regulations are changing rapidly and a simple, one-size-fits-all piece of software has its limitations. All too often, banks treat new software as the only necessity when, in truth, they ought to try to change people’s behaviour and make them communicate with each other more clearly beforehand.
What is more, financial institutions ought to look for problems in the quality of their data. They can install the most sophisticated piece of software and still not solve the old problem of ‘garbage in, garbage out’. In this age of silos, firms often fall into the trap of asking ‘who owns the data?’ The next, inevitable, question is ‘who pays to clean the data up?’ The adoption of new software is far more exciting and far more likely to attract support for funding than an improvement in the quality of data, but unfortunately the latter is a necessary evil. This is especially true for larger organisations with old-fashioned systems that underpin many platforms and data formats.
When a firm runs some software it does not always see to it that the whole organisation uses it. It is incumbent on the board to evolve a clear ‘communication strategy’ that lets employees know when and why they might want to use a new piece of software and how it will benefit them; they often do not.
Finally, most technology roll-outs fail because only a very few people – who frequently are not the end users – plan them. This goes back to good governance yet again. At the outset of a project, the bank in question must identify the most appropriate people to represent their functions at the design and implementation stage; they frequently ignore this duty.
Relationships re-imagined
If a bank takes the time to re-imagine the structure of its legal, compliance and risk management divisions, it will create more opportunities for the “second line of defence” (risk management and compliance) to hold the first (operational management) accountable. A strategy of the kind that we have just discussed is bound to bring people from the silos together and make them more accessible to the first line. Such a change would no doubt have to be managed carefully, with plenty of clear demarcation between people’s jobs and responsibilities, but once it has been made and is underpinned by effective communication, a targeted use of technology and a behaviour-based pay structure, it can improve operations no end and lead to an increase in shareholder value.
• The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates. Naomi Bowman can be reached on +44 203 725 8387 or at nbowman@thinkbrg.com