Senior Partner & Managing Director
Banking organizations operate in an increasingly complex regulatory compliance environment that demands enhanced transparency and greater focus on combating financial crime and minimizing conduct risk. In a world of multiple threats, banks must work harder to show that they have the right controls and culture in place. Bank compliance capabilities are under the spotlight, too. Regulatory enforcement actions led to approximately $321 billion in penalties worldwide during the period from 2009 through 2016, significantly affecting earnings. (See Global Risk 2017: Staying the Course in Banking, BCG report, March 2017.)
Many banks initially responded to the punitive regulatory environment with quick-fix remediation programs involving new controls and a flurry of hiring. Over time, however, a more considered approach to regulatory compliance has emerged, with banks defining comprehensive compliance risk taxonomies that they can use to scope and inform target operating models. These changes mark the beginning of a compliance transformation across the industry—accompanied, unfortunately, by spiraling costs and pressure on human resources.
Digitization, the final stage in the transformation process, has the potential to create a step change in compliance operations. The catalyst is the emergence of smart technologies, which offer significant performance improvements and the ability to mimic human capabilities such as learning, language use, and decision making.
Smart technologies have multiple potential applications in the context of compliance, from support for relatively routine tasks in client onboarding to analysis of unstructured data sets—for example, in relation to money laundering. Across the board, these technologies offer a route to significant efficiency gains and can help employees work more effectively.
The starting point in building a cutting-edge compliance framework is to establish a taxonomy that describes and classifies key areas of risk. Such a taxonomy is also a prerequisite for defining the scope of a target operating model. The six most relevant types of compliance risks relate to financial crime and conduct.
Three of the six types involve forms of financial crime risk:
Three other types involve forms of conduct risk:
In addition to handling these types of risk, the compliance function encompasses regulatory compliance, which requires a detailed understanding of global and local rules and the authority to assign responsibilities to relevant internal departments.
A comprehensively defined risk taxonomy puts banks in a position to redesign the compliance target operating model, thereby clarifying roles and responsibilities and creating a more standardized and reliable compliance infrastructure. An optimized target operating model comprises five key elements: a compliance strategy, governance and organization, compliance risk management, a people strategy, and a policy framework. (See Exhibit 1.)
Financial institutions allocate a very large proportion (up to 90%) of their compliance resources to compliance risk management; the other four elements are much less resource intensive.
A Compliance Strategy. A groupwide compliance strategy provides a framework for the compliance function, setting out its objectives (or mission statement), rights, and responsibilities. It also encompasses a compliance risk strategy for conducting business in relation to eligible customers, certain products, and particular markets.
Governance and Organization. The target operating model mandates the first, second, and third lines of defense (the ultimate risk owner, independent reviewers of controls, and internal auditors, respectively), defines a governance structure, and provides an organizational setup for compliance operations. Compliance generally sits in the second line of defense. In support of this element, executives must specify the relationship between individual business segments and the compliance function, taking into account jurisdictional and legal variations across geographies.
Compliance Risk Management. Compliance risk management is a core capability that forms the basis of the target operating model and provides an operating framework for managing the key compliance-related risks—financial crime and conduct. This capability includes five key areas of focus, each with a primary task:
Effective compliance risk management should also provide an infrastructure to organize and analyze data, support legal documentation, and ensure that the right tools for implementation are in place.
A People Strategy. Securing the right talent in sufficient numbers is crucial, as is suitable training across lines of defense.
A Policy Framework. Executives need a comprehensive compliance policy framework, including a blueprint for creating, maintaining, and retiring policies and procedures.
Banks have implemented digital solutions across numerous lines of business in recent years. For compliance purposes, the most effective tools are smart technologies that collect and assess large volumes of data and perform related tasks. (See Exhibit 2.) Applications such as optical character recognition, data mining, and deep learning fall into one of four basic activities: collection, analysis, learning, and action.
Collection. This activity focuses on gathering and converting analog data to digital format for analysis and processing. This area has three relevant smart technologies:
Analysis. This activity involves analyzing data for pattern recognition. Essential smart technologies in this area include the following:
Learning. Machine learning from data involves training machines to improve their performance. Five smart technologies focus on specific forms of such learning:
Action. Mechanical actions may occur as a result of explicit instructions, or they may involve learned responses. Seven types of smart technology apply here:
Just as technologies can be segmented into specific capabilities, so can the tasks that they perform. Some of these tasks may be fairly routine, while others require intelligent capabilities to work with unstructured data sets. (See Exhibit 3.)
The tasks and technologies fall into three basic groups:
In the context of core compliance risk management activities, the various actions are subject to different requirements. For example, basic analytics such as data mining, case-based reasoning, and expert systems may offer the best support for monitoring global and local regulations, assessing risks, and implementing training. Some control and reporting activities, meanwhile, are so highly standardized that banking organizations can use machine room technologies such as robotic process automation, business process management tools, and voice and speech recognition to perform them. Others still—for example, analysis of specific trading patterns—are more complex and may require advanced analytics solutions such as natural-language processing and machine learning. (See “A European Bank Graduates to Compliance Smart Technologies.”)
Rising regulatory requirements obliged a European bank to increase its compliance head count, so it sought to boost efficiency and effectiveness through automation. The bank gathered information from across the business—for example, collecting data related to end-to-end process flows, number of full-time equivalent (FTE) staff members involved in each process, volume of alerts, percentage of false positives, and alert processing times.
Working with that information, the bank identified smart-technology initiatives applicable to different processes and evaluated their benefits on the basis of several metrics: decline in number of false positive alerts, speed of alert investigation, lead times to report suspicious activities to regulators, and resulting impact on FTE buildup. To prioritize initiatives, the bank mapped benefits against the effort necessary for implementation, leading to a project roadmap that prioritized quick wins and saved relatively complex challenges for a later date.
The first stage of implementation focused on process management solutions for anti-money-laundering/sanctions alerts and case investigations across business units, aiming to boost operational efficiency and cut risk. Next, the bank initiated a more ambitious program to introduce smart technologies, such as machine learning, in order to improve alert detection algorithms and facilitate early investigation procedures, thereby reducing processing times.
In terms of investment, the bank anticipated that year two of the effort would see the highest level of expenditure, with the budget tapering to zero over the following four years. It projected that compliance function costs would stand at 130% of base costs after two years, after which they would gradually decline.
As part of their obligation to guard against financial crime, financial institutions need to know their customers. This requires robust management of the customer life cycle, which consists of three key stages: onboarding, review, and offboarding. Essential elements of the onboarding stage are client identification and verification, which also help banks meet reporting requirements and build a better understanding of customer needs.
Drawing on our work with financial institutions seeking to develop harmonized standards for compliance risk management, we have built a tool that defines the key tasks and data fields (including documentation) required to comply with global and local regulatory requirements for onboarding. The tool provides the basis for defining a global onboarding process.
The eight-step onboarding process encompasses four major stages: identification, customer due diligence, enhanced due diligence, and confirmation. Customer identification (steps 1 and 2) entails the collection of public and private information that the institution uses to conduct customer due diligence—customer verification, conduct screening, and the generation of a customer risk rating (steps 3 through 6). The outcome of that assessment may prompt the institution to undertake enhanced due diligence (step 7) before confirming the onboarding (step 8).
Until recently, banking organizations performed many onboarding steps manually, simply because collecting information from—and checking—diverse sources required significant human intervention. Further, most banks did not have integrated workflow tools to help manage and monitor tasks. In the future, however, the commercial availability and increasingly common internal development of smart technologies will lead to greater automation. Three technologies will prove particularly useful in this regard (see Exhibit 4):
The automation and standardization of compliance risk management processes for onboarding are likely to become more and more deeply embedded in bank systems as institutions apply technology across the customer life cycle.
Heavier regulation and punitive fines have obliged banks to revisit target operating models and leverage smart technologies to improve the efficiency and effectiveness of the compliance function. What banks do next will depend on where they are in the compliance transformation process. Executives interested in optimizing a bank’s target operating model should focus on three essential steps:
For banks that have successfully established a target operating model, the increased availability of smart technologies permits compliance risk management that employs machine room, basic analytics, and advanced analytics activities. A strategic approach would involve the following preliminary actions:
There is no simple or standardized way to develop state-of-the-art compliance frameworks, but as banks move away from a remedial approach, through the development of target operating models, to new smart-technology platforms, they are likely to generate benefits for the business and stakeholders and to build a capability equipped for the demands of modern global banking.