Does Your Organization Suffer from Compliance Complacency?

Within the vast arena of modern financial regulation, an emerging challenge threatens the very ethos of regulatory adherence: compliance complacency. This syndrome, stemming from the false sense of security that can set in upon the fulfillment of notable regulatory demands, the completion of transformative institutional changes, or simply the passage of time, can blindside even the most diligent of organizations.

What Is Compliance Complacency?

Institutions suffering compliance complacency lose their attentiveness to continuous improvement and sustained regulatory compliance, as trust in past achievements overshadows the need for ongoing vigilance. Those exhibiting the syndrome are inclined to believe that “all issues have been fully and completely addressed” and that attention can now turn to other business matters. By relying heavily on past measures and believing that they remain sufficient for current and forthcoming regulatory challenges, the compliance-complacent organization may exercise only passive oversight.

On the contrary, however, the Office of the Comptroller of the Currency (OCC) “expects banks to ‘be on the balls of their feet’ with regard to risk management,” Acting Comptroller Michael J. Hsu said in a statement accompanying the release of the OCC’s Semiannual Risk Perspective for Spring 2023. He emphasized the importance of banks’ “maintaining discipline and strong risk management across all risk areas, not just in response to headlines.” He further indicated that compliance risk is an area to be highlighted “given the dynamic environment in which compliance management systems are challenged to keep pace with the change.”

Comptroller Hsu is by no means alone in this concern. For example, in November 2022, the Australian Prudential Regulation Authority (APRA) published an article titled “No Room for Complacency on Bank Risk Culture,” which summarized its survey of Australian depository institutions regarding various components of their risk management practices. The APRA’s long list of focus areas included leadership, risk appetite and strategy, decision-making and challenge, communication and escalation, risk capabilities, risk governance and controls, responsibility and accountability, performance management and incentives, alignment with purpose and values, risk culture assessment, and board oversight.

Two particularly interesting, if perhaps controversial, “key risk culture survey insights” cited by the APRA were:

• Executives are overconfident regarding their entity’s risk management capabilities.
• Executives are prone to blind spots.

As well, the APRA noted the following key points:

• Results from the risk culture survey serve as a reminder to boards and senior management that continual vigilance is needed.
• Banks have undertaken a lot of work to transform governance, risk culture, remuneration, and accountability practices, but now is not the time to slow momentum.
• A continued and sustained focus on improving risk management practices and behaviors is required.

When and Where Is Compliance Complacency Likely to Occur?

Compliance complacency can occur at any time. However, there are particular situations that can heighten the risk of complacency, including:

• Completion of successful remediation or automation projects can result in a sense of overconfidence that challenges the imperative for regular ongoing reviews.
• Stable market periods can reduce the perceived urgency for ongoing compliance vigilance.
• Major organizational shifts, whether resulting from mergers, acquisitions, or restructurings, can cause compliance to take a backseat to operational and revenue-oriented activities.
• Instances of significant staff reductions or turnover can create undetected institutional knowledge gaps in compliance processes.
• A perceived decline in regulatory activity in a particular area or diminished enforcement in the market might inadvertently signal a lessened risk of non-compliance penalties, further feeding into complacency.

All areas of an institution’s compliance program (see graphic below) are susceptible to the onset of compliance complacency.

However, there are certain operational facets within financial institutions that are especially vulnerable, including:

• Policies and Procedures: Foundational to bank processes, these can become obsolete without frequent review and updating, rendering them misaligned with current product and service offerings and any variations in the manner in which they are being provided, as well as with the contemporary regulatory environment.
• Risk Assessments: If relying on legacy systems or methodologies that are not aligned with the current applicable risk criteria, these may omit new threats.
• Customer Due Diligence: If using stale or inconsistent client file information or customer risk profiles (for example, following mergers or customer acquisitions), customer due diligence processes can leave institutions exposed.
• Systems and Governance Frameworks: If outmoded, these can create gaps in transactional oversight, internal and external reporting, and supervision, among other areas.

How Can Financial Institutions Combat Compliance Complacency?

For financial institutions to genuinely counteract compliance complacency, they need to cultivate holistic, ongoing review, enhancement, and governance strategies. These strategies include periodically performing the following activities:

• Reviewing policies and procedures, assessment methodologies, databases, automated tools, controls, monitoring, and testing to align with the current customer profiles and business activities of the bank.
• Clearly defining and periodically refining risk and compliance roles and responsibilities.
• Reviewing and enhancing the monitoring and reporting used to detect and align with current and emerging risks.
• Providing refresher training to help ensure that staff is educated as to market and industry developments.
• Performing quality control assessments for even the most seasoned staff members to prevent slippage in quality.
• Rotating and cross-training staff to incorporate new and varied perspectives.
• Reviewing management information reporting and confirming that it aligns with the current customer profiles and business activities to provide management with meaningful data for risk governance purposes.
• Reviewing the risk governance framework and supervisory structures to confirm that they align with the current business activities and business strategy of the bank.
• Periodically providing briefings to the board of directors and management committees on new and emerging risks.
• Engaging in regular communications with regulators.

Regular evaluations of all compliance mechanisms, irrespective of recent implementations or other successes, serve as a safeguard against complacency. An engaged leadership that fosters a culture of continuous improvement and external benchmarking is crucial. Continual staff training keeps teams aware of evolving regulatory norms, while also fostering institutional knowledge retention. Engaging with regulatory bodies, and leveraging insights and guidance provided by other governmental entities, such as the Department of Justice, enables institutions to align with regulatory expectations.

Conclusion

The ever-evolving world of financial compliance demands relentless vigilance. While historical successes provide valuable lessons, resting on these laurels is not an option. Institutions must actively guard against the allure of complacency, ensuring their unwavering commitment to risk management. This dedication is pivotal for institutions aiming to protect against financial misconduct and to preserve their operational integrity.