Accenture has completed a survey which looks at the ways in which 150 compliance officers at banks, insurance carriers and capital market institutions around the world are preparing their departments for the future. The results are broadly in line with trends reported elsewhere on Compliance Matters.

Compliance departments can no longer rely upon an increase in headcount to make themselves more effective. Only 22% of respondents say that they now have more than 500 people in their compliance function, representing a 9% drop since last year.

Despite reductions in staff numbers, compliance spending can only increase from now on. In line with Accenture's findings over the last four years, 89% of respondents say that they will invest more money in compliance over the next two years. "Compliance technology transformation" is their top spending priority, both over the next 12 months (57%) and within the next three years (51%). Compliance is moving towards the deployment of IT rather than people. This seems to please Accenture, which sells software.

The human factor

To make the most of their investments in hardware and software, compliance departments are going to have to re-train their people. More than three-quarters (76%) of respondents have spotted a sizeable gap between the skills that are available and the skills they require. Accenture thinks that this 'skills gap' - a term that it seems to have fashioned from the terminology of the Cold War - will prevent compliance people from understanding the ecosystem of risks that they face. Its fear is that compliance officers, for all the investments in technology that they are planning, might not deploy IT effectively.
 
Bad data quality is another impediment to the proper use of IT and to progress in general. One in three (31%) of respondents say that "data quality issues" are bound to hamper them as they try to perform their most important functions over the next three years.

The 'skills gap' and poor data quality may also be stopping financial firms from offsetting important risks in a proactive way. Only 7% of respondents in the 2018 study place 'conduct risk' (often defined as the likelihood of bad results for customers, or of the integrity of markets being compromised) among the top three most grievous risks that they had to manage (down from 27% in 2017), with 14% claiming this for 'product risk' (defined by NASDAQ as a type of mortgage-related risk that occurs when a lender has an unusual loan in production but does not have a sale commitment at a prearranged price). Meanwhile, 13% say that 'model management risk' (a term, like the others, that the survey does not define) is one of their top three most grievous risks to be managed over the next year. These findings may indicate that compliance people are concentrating too closely on the most important risks that the industry faces today (risks involving cyber-attacks and financial crime) and not closely enough on emerging risks associated with corporate conduct, the proliferation of virtual currencies and the use of artificial intelligence.

Software - the great white hope

The pressure on compliance functions to re-shape themselves is now higher than ever. New digital technology is changing the ways in which customers behave and is affecting demand for banking services as well, expanding the number of threats for financial institutions along the way. Regulators, meanwhile, are coming to insist on financial institutions showing them some evidence of their compliance in their business results as well as in their espousal of the right controls. This is making the job of the compliance function - both as a source of business advice to the board and as a 'control' function - more complex. Meanwhile, relevant manpower is becoming scarcer. Since last year, the take-up of new compliance IT has been phenomenal.

For example, 49% of respondents want to deploy a new surveillance system. Without it, they would suffer from the problem of older software reaching the end of its life or ceasing to have the breadth of proactive abilities that the compliance surveillance agent of the future is going to require. The respondents are also using unprecedented amounts of 'regtech,' stating that techniques such as machine learning, natural language processing and natural language generation are allowing them to "extract the signal from the noise" in their increasingly dense data landscapes. Machine learning is especially good at helping compliance officers to spot patterns of behavior in their own organisations and among their firms’ customers and third parties. To keep up with the ever-changing nature of the IT that they are constantly updating, compliance officers ought to undergo continual training.

To build, buy or subscribe

Accenture takes the occasion to discuss the "build or buy dilemma" that has bedevilled financial institutions since the dawn of compliance/AML software. It states, none too eloquently: "By 2020, Accenture expects most compliance functions to be driving an innovation-led strategy for their function. We see industry-leading compliance functions adopting a mixture of three investment approaches — building in-house capabilities, buying end-to-end solutions and subscribing to managed services and industry utilities that mutualize cost of ownership across firms with similar needs.

"Combining these approaches within one integrated strategy allows compliance functions to deliver the sustainability of outcomes required to be both a control function and a strategic advisor to the business while addressing an ever-more complex threat landscape. Some institutions are continuing down the more traditional path of building their own capabilities, while others are looking to cut the cord and lower their costs of ownership through subscribing to software as a service (SaaS) solutions from vendors or buying end-to-end managed services from third parties that can bundle leading plug-and-play technologies, innovation and skilled resources [together]."

"Compliance functions seeking to maintain close oversight of end-to-end controls continue to build their own capability. While maintaining ownership may provide additional career opportunity [sic] for in-house compliance officers, such a strategy can require significant change and maintenance effort. In our study, only 42% of respondents favoured building proprietary technology rather than [using] third-party solutions. Functions seeking to buy capability are facing a proliferating and often hard-to-navigate choice of vendor solutions, creating difficulties in identifying those that are dependable or sufficiently mature. In this year’s study, 50% of respondents said they intend to invest in technologies to leverage proven solutions and third-party investment in innovation."

Firms that offer financial services are travelling down a third path in increasing numbers by using third-party managed services. It takes far less time to install these services and sometimes they generate savings for compliance functions in respect of payroll and the continual maintenance of software and hardware. A hefty 45% of respondents to the survey use a managed service for financial crime, while 43% do so for surveillance and 40% do so for regulatory change management. Sometimes institutions club together to subscribe to third-party services (notably a single host platform) if there is no clear competitive advantage to be had from acting singly. These different services operate a “pay as you go” type model and any host platform worth its salt is bound to accumulate more and more experience, the better to upgrade its software and services when the time comes.

Accenture does not favour any one of these three ways of doing things. It adds that compliance leaders ought to apprise themselves of their firms' commercial strategies and risk appetites as "compliance assumes a more prominent position within a more integrated second line of defence." This famous "second line of defence" (presumably against the displeasure of regulators) consists of people resposible for compliance and risk strategy; the third line consists of auditors.

Goodbye to annual plans?

As the industry continues to evolve rapidly, the time between major changes is narrowing constantly. Accenture now believes that annual plans, containing once-yearly risk assessments, are no longer effective.