Trends in regulatory enforcement in the age of compliance angst

Legal and compliance experts discuss the changing shape of regulatory enforcement and how financial institutions are adapting to a shift in approach

Recent months have seen a step change in how regulators approach enforcement actions. Control failures are being penalised with hefty fines and a range of other measures, including monitorship. In a panel discussion at Risk Live North America, experts examined how regulatory enforcement is changing and what financial institutions need to do to account for this shift in approach. This article highlights the key themes emerging from the session.
 

Enforcement approach 

Regulatory enforcement is a moving target. In the opening comments, the panel noted that the enforcement approach of regulators such as the US Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) continually evolves, with the administration of the regulators being the primary driver of regulatory tone.

Jane Norberg, partner at Arnold & Porter, observed: “Priorities change from administration to administration. This current SEC administration, for instance, is fairly aggressive in terms of the penalties it is imposing.” 

Generally, across regulators, there has been a shift in approach, with more frequent use of targeted sweeps to gather sample information, an increase in fines for control failures and the use of monitorships and independent compliance consultants to track progress at institutions where issues have been identified. 

Regulators’ stated examination priorities are a good indicator of the current focus of enforcement actions and, therefore, where financial institutions should focus their efforts. “The SEC recently came out with its [2024] exam priorities. I always say that today's exam priorities are tomorrow's enforcement actions,” said Norberg.
 

Current regulator focus

Turning attention to current regulatory enforcement focuses, several themes emerged. Channel communication on personal devices has been a particularly hot topic over the past few years, attracting several hefty fines. 

Third-party risk management is another key theme and has been listed in the SEC’s exam priorities for 2024. Many financial institutions use third parties for critical elements of their services, such as data processing and management, but there have been high-profile failures that have had a wider market impact. These providers are not directly regulated but, given the potential impact of outages, there is growing focus from regulators on how financial institutions are managing and monitoring these suppliers.

Then there is cyber security. The SEC has created new rules for public companies, effective from December 2023, under which institutions must update their approaches and timelines for assessing and reporting potential data breaches. One common risk highlighted was the disconnect between those dealing with cyber security incidents and those making decisions and disclosures, and whether or not to report it. Norberg said: “You have to make sure everybody is at the table when you’re trying to figure out whether or not this is an internal incident. The controls and procedures need to be in place so you are ready to deal with what is often a chaotic and fast-moving incident.”
 

Mapping the control environment 

When it comes to managing compliance programmes, mapping the control environment to the risks faced was considered a critical step. “A compliance programme can be summed up with the following questions: What are the biggest risks, who owns them, what are they doing about them, is it working, what are the controls and how do you know?” said Mark O’Neal, director, compliance lead for institutional investments at Citi. “Foundational to all of those things is to map your regulation and find out what your inherent risks are – and also the risk of non-compliance”

But it was also recognised that this is a complex exercise given the volume of controls. Serge De Coster, chief intelligence and analytics officer at Acin, said: “You might be looking at 20,000–30,000 controls. This makes a human-only approach very difficult. Advances in natural language processing [NLP] can help banks overcome this hurdle, for instance, by taking a list of regulatory obligations and identifying the ones that lack controls or where there are duplicates. It can also help with benchmarking and comparison of controls, all of which can significantly help when dealing with regulator requests.”
 

Interacting with regulators

Alongside mapping compliance obligations, it was also highlighted that financial institutions need to consider all of their interactions with regulators and how they can make these as strong as possible. “Enforcement is the final step in the process,” said De Coster. “[But] all the little steps that lead to enforcement are also meaningful. Generally, firms have limited interaction with regulators, so it is important that each of those interactions is a good one.”

With this in mind, financial institutions need to showcase all that they are doing to be better at compliance. Responding to queries in a timely manner, being transparent and being a good partner during regulatory exams all help develop a strong working relationship with the regulator. It also stands institutions in good stead if and when mistakes are made. 

Financial institutions also need to recognise the importance of quantitative data when responding to regulator enquiries, with officials expecting to see data to support the controls and procedures that are in place. “It’s important for banks to invest in the datasets they have available so they can evidence the controls in place to deal with a wide range of regulatory obligations and regulatory questions,” said De Coster.

In line with this, putting in place good housekeeping practices is essential. “When regulators are scrutinising historic trades and trying to reconstruct them, if data is missing it will cause the regulator to question how well you are keeping records,” remarked Sabeena Ahmed Liconte, head of legal and chief compliance officer at ICBC Standard Bank Group.
 

Self-reporting and whistle-blowing

When control failures occur, consensus among the panel was that self-reporting could be beneficial in terms of reducing enforcement actions. Certainly, there are examples where firms with self-reported compliance breaches have received lower fines. However, regulators vary in their stances on self-reporting and, in some instances, there is a lack of clarity around the tangible benefits of doing so. 

Despite this, the need for compliance programmes to have clear policies and procedures in place for employees to report issues internally was considered paramount. “Institutions must show that reports are being collected, triaged and investigated. So, if there really is a problem, there is an opportunity to remediate and determine whether it's in your best interest to self-report,” commented Norberg. 

This was considered particularly important given that regulators, including the SEC and CFTC, have incentives in place to report failings. As such, if internal escalation measures are not clear or managers are not trained in how to handle complaints, it is very easy for individuals to take the whistle-blowing route. If there is a good internal reporting procedure in place and an individual also makes a report to the regulator, the institution can at least demonstrate it has the matter in hand.

“Internal escalation is something all firms have to think about. Sometimes processes are overcomplicated. If you can simplify these and find a way to incentivise people to take the extra step, you'll have a better accountability regime,” said Citi’s O’Neal.

It was also highlighted that self-reporting need not be the final step when the bank reports a problem to the regulator, but that it can happen at any stage. “If you self-report when you identify a shortcoming in your control environment and build a plan to remediate those shortcomings, you can define and build a more trusted relationship with the regulator,” noted De Coster.
 

Conclusion

Regulators' approaches to enforcement actions are changing. No longer is the focus purely on misconduct, but there is increased scrutiny of and penalties for compliance breaches. The precise challenges – whether the use of personal devices or supervision of third-party suppliers – will change from one year to the next, but there are good practices that can be put in place to ensure a strong compliance culture.

Mapping controls to risks is the foundation of a successful compliance programme but, with the volume of controls increasing rapidly, the use of technology such as NLP is essential. Financial institutions also need to consider how they approach ongoing interactions with regulators, as well as the policies and procedures they have in place for self-reporting, all of which play a vital role in building a trusted relationship with supervisors. 

Sponsored content