A new approach to regulation

With new regulatory agencies and instruments has come a whole new way of framing the challenge of regulatory risk control. We now hear regulators using - and we need to understand - phrases that were barely known in financial markets a decade ago: "risk culture", "behavioral regulation", "conduct risk", "behavioral economics", "de-biasing".

Where previously, regulation and supervision mainly relied on internally-produced reporting of transactions, the new regulation looks beyond the regulated organization for external signs that customers are experiencing good advice, and good behavior generally. The supervisors' approach is:

"outcomes rather than process based... proactive, [seeking to] intervene early" [6]

"putting public trust and consumer protection at the heart of [regulatory] work" [7]

"deliberately not having a master definition of conduct risk but [looking for] the right culture, such as how a firm responds to regulatory issues; what customers are actually experiencing; how product approval processes and [other] decisions are made" [8]

The recent startling, unprecedented growth in the business significance of compliance is thus not just the result of a post-crash reactive 'spike' in regulatory enforcement actions, or even of the exponentially increasing cost of fines in the past two years. Although both factors played a part, they're not the main drivers of the change but merely symptoms that there is a deeper reassessment going on. Regulators are looking beyond transaction data to examine processes, decision design, how financial institutions behave in their markets, and how organizations design systems for their employees. A key feature of this revolutionary approach to the "regulatory enterprise" [9] is that it looks beyond the dry theory of economic utility towards a real-life, empirical view of human interactions: the "what actually happens" view of financial markets. Regulators will now judge firms on how they interact with customers in real time, not just on the rigor of their historic, econometric calculations of risk.

Along with this new approach comes a significantly higher compliance cost. Even if it is evaluated that cost in its most pared-down form, only in terms of fines and excluding other onward costs [10], the picture is sobering: cumulative fines for conduct-related infractions are projected to exceed $20 billion globally and it appears that total will only grow. Individual Directors and senior officers are also increasingly likely to lose their professional licenses, and livelihoods, following misconduct prosecution.

What else explains the rapid recent changes?

Regulatory powers expanding

Along with direct costs associated with increasing numbers and severities of enforcements, there is an underlying growth in exposure to "regulatory risk" as enforcers expand their remits. Formerly local regulatory agencies are extending their reach extraterritorially into other jurisdictions and between home sector jurisdictions too.

The past year has also seen a steady increase in the number and range of regulatory initiativesthat have a multi-territory or multi-sector impact. These include [11]:

• Alternative Investment Fund Managers Directive (AIFMD) (EU)
• Basel III (Global)
• Data Protection Directive (EU)
• European Market Infrastructure Regulation (EMIR) (EU)
• Foreign Account Tax Compliance Act (FATCA) (US, with global reach)
• Foreign Corrupt Practices Act (FCPA) (US, global reach)
• Future of Financial Advice Act (Australia, with extraterritorial reach)
• Markets in Financial Instruments Directive II/Regulation (MiFID2) (EU)
• Senior Managers Regime (UK)
• Solvency II (EU)

The extension of reach, between territories, sectors, and even between regulatory agencies via new alliances - such as between the UK's financial and competition regulators - concerns us all. Increasingly also, regulators are rolling out their own local headline-grabbing initiatives which are then copied by agencies in other jurisdictions: extending regulatory capital, phased payment of bonuses, enabling clawback of 'inappropriate' bonuses, creating new criminal offences, shifting the burden of proof, and senior managers' personal responsibility under threat of criminal prosecution.

• For compliance staff, the to-do list is getting longer and must now include at the very least:
• Protecting senior managers against personal regulatory risk [12]
• Managing regulatory relationships
• Keeping supervisors supplied with evidence of the firm's basis for 'acceptable' compliance action [13], developing qualitative reporting mechanisms for this
• Managing the convergence of risk, compliance and internal audit functions to support this

Engaging with the new requirements of Conduct Risk regulation [14] including creating the firm's own definition of "good conduct",as acceptable in the current reporting period [15] to any relevant regulators; and identifying acceptable forms of (external) evidence to prove this.

All this adds up to something more, however, with compliance having an unprecedented business significance and value. Above all, the evidence of increasing compliance costs suggests that the focus and scope of compliance responsibilities is transforming in response to the profound change in regulatory focus and outlook described here. New hirings reflect the dawn of a new mode of regulation, where new offences are set and defined in terms of observed human behavior, rather than proxy-reported financial metrics. Yet there is still a long way to go before either practitioners or regulators adapt fully to the implications of this change of control direction.

CHAPTER THREE

Unlike the bad old days: No longer is it 'compliance vs. business'

More rarely now, only in some parts of the landscape, the long and disreputable history, of compliance being culturally regarded as "business prevention" [16] continues. In financial firms, many Boards now look back to the crash of 2008 as a starting point for risk-cultural change [17], a cultural cue to transform the power of the compliance function and the Board view of risk culture that enables and defends it.

As the landscape of risk culture eventually shifts to take on a new shape, the industry is at last reconciling to the fact the crash was not, in fact, a failure of compliance but of risk modelling and even of business model, neither of which were originally (in 2008, at least) compliance-led functions. Specifically, the market failure may be attributed to an absence in the econometric model of a factor that we now know to be key: liquidity risk.

Liquidity risk was not on anyone's radar at the time. A behavioral analyst might argue that this was because liquidity is a function of market optimism - which is a behavioral effect, not a quant economic readout. The level of liquidity, or more alarmingly, the lack of it, is a consequence of how the market feels about contracting with a counterparty. It's a sentiment; what behavioral science would now call an affective factor, or you and I might call "emotional" or "intuitive". Certainly it wasn't rational; not a logically predictable, calculated response. The major driver of the credit crunch was, then, arguably, a form of behavioral exposure that no one's risk model had previously captured (including of course any of the regulators).

All of which suggested that a behaviorally aware form of risk control might be desirable. We needed more than simply a redoubling of the old capital cover standards - although that's happened too. Whilst doubling of capital adequacy has certainly required extra staffing to implement, in both risk and compliance teams, firms are now realizing the need to look beyond their traditional compliance remits to ensure future proofing in the new era of behavioral controls.

Salaries and hiring rates are rising as institutions begin to learn about the behavioral dimension to the regulator's agenda, and to fold this into their risk, compliance, and Board governance functions. The fact that those three functions now have an adjacent listing in published reports tells a new story: that the reach of the compliance function itself, potentially into Board decision-making [18], suggests tantalizingly a much wider horizon for the ambitious compliance practitioner

Against this background, there's an invigorating set of challenges that enlightened compliance leaders are now beginning to address: to engage with and lead the transformation that regulators are looking for, to help to build and promote a responsive business culture that encourages intelligent, behaviorally aware risk-taking and decision making.

CHAPTER FOUR

Getting past the past

Stories of risk system control failures are characteristic of a recent past legacy of stresses between Sales and Compliance functions in particular. The blame for these fractures lay partly in the historic design of banking organizations. Major banks have traditionally exploited their deep pockets and corporate longevity to drive away attempts at regulation. If a bank has bigger net assets than the government that's trying to regulate it, why wouldn't it use this resource to push back against any threat of new controls? More than one bank has been known to call its national leader's bluff, in a high-level game of "blink" that can force a government to back off.

Banks' reward systems were until very recently also a major part of the problem. In a Sales-based organization, where sales are rewarded in immediate cash commission or periodic bonuses, the pressure to close a sale will always threaten to trump any ethical concerns.

Then there's the product engineering/marketing function that is usually quite separate from risk and compliance. One reliable though unobvious measure of risk culture is how early in the product development cycle risk and compliance are invited to the table.

The above research anecdotes from CROs and CFOs point to certain key points of concern, which suggest why the future of regulatory intervention has needed to change direction. Going forward, risk managers will be on alert to the criticism that regulators may judge an organization's culture of compliance simply by seeing how large or small a percentage of the corporate budget is devoted to compliance activity. In the past there was more than a hint that finance departments exercised a cynical form of 'ethical rationing' of compliance activity by restricting its budget; from now on, less so.

Ever since behavioral research began to reveal which vital elements of compliance understanding were missing in legacy risk models, regulators have been happy to point out what these elements are. They include:

• The human dimension in general (a.k.a. Behavioral Risk), which explains why there is always a gap between any risk control as designed, and what the regulated group actually does with the control in practice. Real-world responses can and do range from energetic compliance through to active subversion and game-playing.
• The broader form of this phenomenon - that there's an even bigger gap between the good intentions of senior managers and the reality of 'what actually happens' on the shopfloor - is the subject of a long-running strand of behavioral economic commentary. Behavioral Economists refer to this as the 'Econs v. Humans' debate, and frequently write about it [21].
• That financial organizations regularly exploit their 'information advantage' over customers (a.k.a. Information Asymmetry); often in tandem with the knowing use of sales techniques that play on customers' biases and naivety. Together with sales teams' aggressive 'bad behaviors', these concepts inform regulators' ever-growing list of Conduct Risk infractions.

Why this, and why how? With the help of new behavioral insights, regulators are recognizing the past shortcomings of regulatory design, especially its reliance on classical economics and specifically the rational-actor assumption. The good news is that new regulation is much more people-focused.

There's some not-so-good news, however: The new approach may feel alarming for traditional compliance practitioners who have come to rely on econometric and 'black letter' evaluative systems. It requires compliance professionals to take on-board at least the rudiments of behavioral science. This is not an insurmountable challenge - many behavioral science primers are perfectly readable, and some of them are fascinating. As is becoming clear, though, everyone needs to accept and adapt to a fundamental change of outlook, since that's where the regulation is already taking us.

CHAPTER FIVE

Meanwhile, what's it worth to your employer?

Perhaps because behavioral regulation is turning out to be a massive income generator for those regulatory agencies who have tried it, it is catching on fast. While the new mode of regulation is partly a political reaction against the perceived failure of pure-econometric risk models to prevent the credit crunch of 2008, we must expect that behavior-based regulatory interventions - such as heavy penalties for overselling or market-rigging, or for failing as a Director to prevent these activities - will be the new normal. Whether local regulator calls these instruments 'Conduct Risk' interventions or some other phrase, we may expect these to be the future of compliance a generation to come. Now is therefore a very good time for organizations to take a fresh look at the state of their compliance training programs; check that established compliance training content is up-to-date, and add new training modules on both behavioral risk awareness and any specific new Conduct regulations in the organization's jurisdiction. If this requires a request to the organization's Board for an increase in compliance resourcing, the signs are that this will be more sympathetically heard than in the past.

CHAPTER SIX

Conclusion

It's fair to expect that compliance will continue to boom as an employment prospect, and result in a trend of rising spend on compliance officers and compliance departments throughout the world. Moreover, it's too early yet to say whether the compliance function has reached its full potential at senior management level.

What is already becoming clear is that compliance focused people from now on will look harder, but also with better tools of analysis and training, at how the world of product development and selling really works. Life, and working relationships, are not entirely about quantitative risk assessments ('how likely is X to happen?') but consist of scalar, qualitative judgments ('how far have we progressed in understanding customer expectations?')

• Going forward, everyone in compliance, risk and general management will need to look harder at how the regulators are mapping out the collective future, in terms of new behaviorally defined offences. Compliance teams will enjoy a stronger remit; in fact, the most enlightened compliance managers have already started to look beyond the old limitations of binary, quantitative, box-ticking modes of reporting, to promote a broader awareness across their organization of the latest behavioral compliance topics and related conduct exposures. All of this adds momentum to the already surging demand for and spend on compliance resources, as the wisest compliance teams look to train in 'best practices' to protect their colleagues from the increasingly long reach of the regulator.
• What is corporate compliance worth?
• Does increased regulation of corporations result in increased corporate compliance?
• What lessons can be learned from the compliance failures (i.e., corporate scandals) that make
• the headlines?