The second part covers the What, Why, and Who of compliance. The What section breaks the understanding of compliance free from the narrow confines of merely being “compliant” to take it to its higher potential of being a critical element of holistic and healthy growth of the enterprise. It addresses the semantic maze in the space and delineates the oft-used terms and their relevance within the overall context of subject. It explores interconnections with other related aspects of the organization like ethics, governance, and risk management.
The Why section makes a strong business case for active compliance management, as its positive alignment with the organization's business model will enhance both the top line and the bottom line. The attempt here is to unveil the umbilical cord between the success of the business objectives and proactive compliance as a strategic intervention. This leads to a conversation on cost-benefit analysis as also the relationship between the business model, strategy, and compliance.
The Who section looks at the canvas of players in the financial services space. It covers the entire ecosystem of stakeholders of the industry, not just the designated compliance officers. The discussion covers the expectations from these players – their responsibility, accountability, and the interrelationships. It rounds off the conversation with the lines of defense an organization has for proactive compliance management.
The third part addresses the important How question: How do we create a positive and active compliance management (PAC-M) program? It covers the entire gamut of such a program, starting from defining the policy statement. Various compliance models, training, communication plan, boundary definitions, and compliance reporting are discussed. It explores the strategic and structural framework inclusive of structure and content of the compliance charter.
The book then dovetails the various aspects of operational framework like the compliance masters and compliance maps with indicative templates for each of them. Operations and management of various aspects like breaches, complaints, remediation, and more are discussed. The “multi” maze that large organizations have to handle, like multiple jurisdictions, multiple laws and regulations, and multiple regulators and authorities, is briefly explored. The third part addresses the entire life cycle of compliance right up to building a learning organization.
The fourth part examines the concept of compliance risk, one of the youngest forms of risk in the family of risks. This section takes a comprehensive look at the manifold aspects of the concept. It endeavors to expand the scope and depth of compliance risk definition, exploring the range of subrisks under its umbrella.
This conversation then covers the complete life cycle of management of compliance risk. Various aspects like risk appetite, risk identification, risk measurement, mitigation, monitoring, action tracking for remediation, and regulatory dialogue are examined. Sample scorecards and the process of building them are detailed with examples.
The fifth part of the book covers the real-life aspects and challenges of compliance management within financial services organizations. The focus is to succinctly bring in the real-world issues that industry participants struggle with while translating an ostensibly foolproof plan into practice. I have drawn from my own experience and that of other practicing professionals to share challenges being faced as they are, without sugarcoating any of the issues.
The conversation delves into the various challenges and their ramifications: the gray areas, overlaps, conflict zones, and myths associated with compliance. Lessons the industry has not learned are examined through a sample of actual incidents and experiences that shook the industry. Practical solutions to some of the operational challenges are also explored.
The last three parts (How, Compliance Risk Management, and Real-Life Issues) together are the essential toolkit of the book. These parts with their templates, score cards, models, formats, and real-life examples will, I hope, help practitioners both in realistically understanding the field and in effective execution of their responsibilities.
In the closing notes I share my thoughts on how compliance risk management is likely to evolve and my views on what will aid in the healthy growth of the discipline.
Part One
Introduction to Compliance in Financial Services
Practitioner's Note: The umbilical cord between business model and compliance
As a regulator and practitioner I have seen that organizations that miss or ignore the vital link between business model and compliance have had higher cost of compliance and lower return on investment, not to mention reduced business opportunities. Like Ms. Saloni Ramakrishna persuasively articulates, it is vital to understand the umbilical cord between business model and compliance.
There are two critical aspects to the business model (BM) of a bank. The first is the strategic business model defining what products, markets, customers, and regions the bank would like to be in subject to the Board's risk appetite. The second underpinning is the target operating model (TOM), which covers governance, decision making, recruiting, technology, human capital, legal structure, and operations. The objective of the bank is to execute its business strategy with an optimal TOM. Compliance lies at the heart of the TOM. The BM/TOM constrained by regulation must maximize its risk-adjusted return on capital (RAROC).
Compliance costs have spiraled upwards across the globe. The estimate is that over 30 percent of costs are spent on compliance. This has lowered revenue/cost ratios significantly, and it is estimated that compliance costs drive down ROE (Return on Equity) by a full six percentage points among the GSIFIs (Global Systemically Important Financial Institutions) and DSIFIs (Domestic Systemically Important Financial Institutions). Hence, it is critical as a long-term strategic imperative to get these costs down through changing the BM and ensuring that a firm has selected the most cost-effective TOM.
There are three core channels of impact on the financials. In simple terms, risk-adjusted profitability equals (R − C)/K, where R is revenues, C is costs, and K is a measure of risk-weighted assets (RWAs). Spending on projects drives up C. Furthermore, if the control framework and risk management are still poor, then the firm will suffer a drop of revenue through fines, penalties, licenses revoked, and lost customers. Firms that are found to have weak governance structures and incompetent risk management will be hit by both pillar one and pillar two capital charges. Finally, the valuation of share price will be lower if any of the aforementioned impacts are volatile. For example, continual penalties (like PPI (Payment Protection Insurance) or AML (Anti–Money Laundering) violations) will create excessive volatility, and profits will not be perceived as sustainable. The proactive compliance driven by business integrity that Ms. Saloni Ramakrishna strongly advocates as the vehicle for value creation is rooted in the impact it has on all of the three variables (R, C, and K) that have a bearing on the risk-adjusted profitability.
Given that compliance is in itself expensive, it makes sense to ensure that money is spent wisely so that major risks are avoided before they become a problem. Prevention is much cheaper than remediation, so choose the areas that give rise to the biggest risks and do not assume that the TOM is a given. It always pays to create a specific blueprint for the industry and firm and implement projects once! The three lines of defense model has its drawbacks. Often, the front office takes no responsibility for operational failures. Regulators are forcing changes in compliance where senior managers are being held accountable and have to self-attest that systems and controls are in order. For example, see the senior managers regime (SMR) in the UK: It is important that every control has an owner, a challenger, and assurance that this process is implemented. The blueprint that Ms. Saloni Ramakrishna details in the How part of the book captures these principles elegantly and fleshes them out through