COO Magazine Q4 2024
Key to Effective Regulatory Compliance: Robust Governance and Control Framework
Saumya Deva
Former Vice President
APAC Regulatory Change Programs
Wells Fargo
Armstrong Wolfe Advisor
Non-financial risks are becoming increasingly critical as the banking industry evolves, and effective management of these risks is essential for maintaining stability and trust in the financial system.
Regulatory compliance is a critical non-financial risk for global banks. There has been a surge of regulatory demand over the years which will continue in the foreseeable future.
Recent regulatory trends in banking
Regulation remains a major factor shaping the strategic priorities of banks globally. Factors such as challenging economic conditions, the need for financial stability and operational resilience, evolving consumer demands and behaviours, and environmental, social, and governance (ESG) concerns are all impacting regulatory agendas. Regulators are increasing oversight on areas around:
- ESG
- Digital currencies
- Anti-money laundering (AML)
- Third-party risk Management
- Privacy
ESG regulations are evolving rapidly and now the financial sector must move beyond merely understanding ESG frameworks to actively integrating them into their business models. ESG risk not only impacts non-financial risk areas but can impact credit risk as well which makes it critical to ensure the risk measurement accounts for the complex nature of this risk.
Currently, most ESG regulations and reporting requirements are heavily focused on the environmental issues, particularly climate reporting related to carbon emissions. To ensure compliance and readiness for future regulations, financial institutions of all sizes should establish robust frameworks for accurate and timely ESG reporting across parameters. Key steps in developing a forward-looking ESG compliant strategy include improving data collection and reporting capabilities. To enhance global consistency, comparability, and reliability in sustainability reporting, the International Sustainability Standards Board (ISSB) introduced the first IFRS Sustainability Disclosure Standards which have been effective since January 2024. T
hese standards are built on the basis of existing frameworks, including Task Force on Climate-Related Financial Disclosures (TCFD) and Sustainability Accounting Standards Board (SASB). This reporting will be integrated with financial statements. As a result, companies will need to implement processes and controls to ensure that sustainability information is delivered with the same quality and timeliness as their financial data.
While regulators continue to establish expectations, many banking and financial institutions have pushed back against ESG initiatives over the past year. Some of the biggest banks in US including Citi, Wells Fargo, JP Morgan Chase and Bank of America have withdrawn their participation from the Equator Principle which has been one of the oldest environmental and social framework. Earlier in the year JPMorgan Asset Management, State Street Global Advisors and Pimco withdrew from Climate Action 100+ which is a $68 trillion initiative focused on Climate Change. Most recently in August, Goldman Sachs also announced its departure from the initiative.
EU that has been at the forefront of ESG standards has also seen anti-ESG sentiments from various sectors. This shift is primarily driven by the fact that ESG focus hasn’t led to the expected financial performance and the investors continue to demand return on investment. Over time, regulations have evolved to accommodate broader investment opportunities under the transition framework. While investors still hold mixed feelings about ESG, the strategy has become firmly ingrained in the market.Once viewed with scepticism and uncertainty, digital currencies are now being recognised as a legitimate asset class in various regions. As a result, many countries are developing their regulatory frameworks to offer clarity and protection for those involved in the crypto market. Regulators are tasked with a challenging balancing act wherein they must promote innovation while addressing risks associated with cryptocurrencies.
This includes concerns about investor protection, financial stability, and the prevention of illicit activities. The rapid evolution of cryptocurrencies presents significant challenges for firms, largely due to the lack of consistent global standards and frequent legislative updates. In 2023, regulators reinforced their scepticism towards crypto activities which will lead to increased scrutiny in 2024. Going forward, the regulatory bar will remain high for Distributed Ledger Technology (DLT) and crypto engagements.
Governments, financial institutions, and international regulatory bodies worldwide are intensifying efforts to enforce strict Anti-Money Laundering (AML) regulations. These measures aim to prevent financial crimes, uphold economic stability, and ensure transparency in financial transactions. Achieving AML compliance involves integrating various processes and controls primarily around Due Diligence, Risk Assessment, Suspicious Activity Reporting (SAR), Record-Keeping along with ongoing monitoring.
Balancing AML compliance with privacy concerns presents a significant challenge. Regulatory frameworks like the General Data Protection Regulation (GDPR) impose rigorous data privacy and security requirements, but the same data is often necessary for comprehensive AML compliance. Banks need to determine AML strategies that protect privacy while meeting regulatory demands. Data privacy is vital for financial institutions because of the sensitive nature of the customer information they manage. Breaches can lead to serious consequences, triggering both international and local regulatory actions.
Banks are increasingly dependent on third-party providers (TPPs) for essential functions including cloud computing and data analytics, that support digital transformation. However, this growing reliance also introduces significant risks, particularly as the market becomes more concentrated among a few large providers. While firms can manage their individual arrangements with these TPPs, they cannot fully mitigate the broader systemic risks posed by the largest providers. As a result, regulators are implementing measures to address third-party resilience on a wider scale.
Digital Operational Resilience Act (DORA) establishes a framework for banks in the EU to manage information and communication technology (ICT) related risks, with a strong emphasis on third-party risk management. This act will be effective in January 2025. Institutions must evaluate the operational resilience of their ICT suppliers, prepare contingency plans for potential disruptions caused by these external partners, and adhere to specific contractual obligations outlined by the regulation. This new rule can potentially curtail incidents like the CloudStrike outage that affected 8.5 million computers running on Windows. Several global banks reported temporary disruption in their services due to the outage.
Challenges and Way Forward
Firms are facing intense pressure from increasing regulation and investigations by international and local authorities, prompting extensive reviews, audits and litigation.
Non-compliance with regulatory requirements leads to fines, penalties and in extreme cases may lead to reputational damage, sanctions and operational disruption. Financial institutions need to be well-prepared for regulatory Enforcement Actions (EA), such as consent orders and cease-and-desist orders. Regulators frequently issue Enforcement Actions for various reasons including violations of laws, rules, or regulations, unsafe or unsound banking practices and breaches of fiduciary duty.
Enforcement Actions have significant and multifaceted impacts on institutions. In addition to the expenses related to compliance and remediation efforts it can also hamper the image of the bank and can impact customer and investor confidence. Management changes might also occur as part of the response to an EA, affecting organisational stability and leadership.
In July 2024, the OCC and FRB fined Citigroup $135.6 million for failures to make sufficient progress in meeting obligations outlined in the 2020 consent order. The requirements were related to issues in risk management, data governance, and internal controls, underscoring the ongoing challenges the bank faces in strengthening its compliance practices.
Addressing the issues raised by regulators requires substantial resources and can limit an institution’s strategic and operational flexibility. There is often a need for a comprehensive and lengthy process remediation, including implementing new policies and controls, enhancing training programs, and improving risk management practices.
Governance Structure and Accountability
To meet these regulatory requirements, banks have set up a governance model that follows the three lines of defence (3LoD) approach for effective risk management and control oversight. Organizations need to continuously optimize and strengthen this model to ensure effectiveness. It is imperative to establish that the framework is integrated seamlessly and there is collaboration across the 3LODs. The first line of defence is typically comprised of business units and enterprise functions.
They are responsible for identifying, managing, and mitigating risks within their own processes and activities. The second line of defence generally includes risk management, compliance, and may include other control functions. They provide oversight and ensure that the first line’s risk management practices align with regulatory and internal standards. The third line of defence is internal audit, which provides independent assurance that the first and second lines are effectively managing risks and complying with the established frameworks and policies. The responsibility to establish control frameworks, set policies, and monitor adherence to these controls may sit either with first or second line of control.
The way a bank defines and separates first and second line activities can differ based on its unique business model. However, it is important for organisations to build a strong framework for governance and controls based on their operations and regulatory requirements.
Saumya is an experienced regulatory change management professional with over 15 years in the banking industry, having worked with major global banks such as Wells Fargo, HSBC, BNP Paribas, Nomura and Lehman Brothers. While she is currently based in Dubai, her career spans across key financial hubs including Hong Kong, New York, and Mumbai. Saumya has a rich background in managing complex regulatory change projects and has developed extensive expertise in navigating and implementing banking regulations across US, EU, and APAC jurisdictions. Her proficiency extends to regulatory compliance, governance, risk management, and internal controls.