New regulation forcing businesses to provide consistent and timely evidence of accountability are hitting processes and operating costs hard and are leading to the emergence of third-party, specialist “financial crime and compliance risk utilities”. Matthew Long of Oracle looks at the pros and cons of outsourcing compliance and risk to third parties.
The dust may have settled following the crash of 2008, but the financial-services sector is still feeling the reverberations to this day in terms of risk and compliance regulations. The fall out from the Panama offshore financial-services leak may result in further action, and governments and regulators are responding to calls to prevent such an event happening again and are overseeing reforms designed to change practices and behavior.
These reforms mean that there has never been a tougher—or more rewarding—time to work in financial-services compliance and financial-crime risk departments. While the fact that it’s a fast-growing and increasingly important function may make it an attractive career choice, it is also fraught with high levels of personal risk, especially in senior or management positions, where accountability is high. If the organization is seen to be in breach of regulation, it can be the compliance and risk executives in the firing line.
Most recently, we’ve seen the UK’s Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) reveal new measures that can result in hefty fines or up to seven years in jail for individuals.
Personal and corporate risk can be mitigated somewhat by the effective use of specialist technology and personnel; however, the conditions are also ripe for the rise of “financial crime and compliance risk utilities”. Used most effectively, these third parties can potentially mitigate financial crime and compliance risks as well as lower operating costs.
Risk utilities look increasingly attractive to financial institutions. Outsourcing data-intensive tasks can help identify operational inefficiencies that increase non-compliance risks and overall compliance costs. For example, functions such as alert optimization, initial triage, detection scenario development, and testing and risk assessment could all potentially be outsourced.
This could help tackle today’s tactical financial-crime risk and compliance problems while bringing greater predictability to compliance-related spending. Additionally it moves the personal-risk burden away from the compliance and risk officers.
Outsourcing companies are also more likely to have dedicated up-to-date technology, because it is their business rather than a cost of doing business. Many financial organisations today rely on “best-of-breed” technology systems from different suppliers to deal with very specific aspects of financial crime and compliance management (FCCM), such as transactions monitoring, data-quality management or risk assessment. While these systems may have been cutting edge at the time of purchase, many may not be well-suited to the rapidly changing regulatory landscape.
Financial institutions are already using third parties in other parts of their businesses—such as payments processing and auditing—so it’s not too much of a jump to see that this could move to risk, too.
There are, of course, some structural issues that would need to be overcome for risk utilities to thrive—not to mention the creation of very robust contracts and service-level agreements. Banks have traditionally been unwilling to place sensitive compliance and financial-crime data outside their four walls, but recent reports from the likes of Ernst & Young suggest a growing interest in broader financial crime and compliance business-process outsourcing. Additionally, more financial institutions are growing comfortable with storing information in the cloud and outside their four walls.
Of course risk utilities would need a rock-solid reputation for handling sensitive data securely and would need to be trusted from day one. This is not an opportunity for startups. Already established players such as technology partners and management consultancies would have a natural advantage.
There are, of course, benefits for keeping this function in-house. Handing over sensitive data about business processes to a third party brings up legitimate questions about security and compliance that need to be satisfactorily answered. Choosing an outsourcing partner may mitigate risk, but it does not abdicate responsibility.
Other considerations before outsourcing include the likely loss of expertise in-house and dependence on the supplier. This could prove an issue if the organisation needs or wants to bring the work back in-house at any point.
However, as tighter regulations continue to be implemented, it is likely financial institutions will increasingly look to risk utilities. Outsourcing provides a rigorous approach to monitoring and surveillance activity that generates meaningful alerts, enables efficient investigation and analysis, and streamlines ongoing management and reporting. This is key to meeting more stringent regulatory expectations and achieving an operating environment that ultimately protects its reputation and customers.