Just like compliance officers, regulators work within a range of forces, priorities, and constraints. Understanding those factors is essential for managing regulatory relationships.
Given that regulators operate in conjunction with the enforcement power of the state, there is a natural tendency to see them as monolithic, all-powerful entities. But the fact is that regulators operate in the same highly dynamic environment as compliance officers. Understanding the regulatory perspective is essential for keeping compliance efforts effective, holistic, and strategic.
With Transparency Comes Responsibility
In several jurisdictions, regulators are becoming more transparent and collaborative with industry, sharing priorities, data, and other key insights. This evolution has been particularly notable in the United States, where the Securities and Exchange Commission has been much more active in issuing risk alerts and deficiency letters. With this increase in communications, however, comes an implied increase in expectations—firms should consider themselves as having been put on notice regarding the areas on which regulators will focus their attention. That the SEC has recently emphasized cybersecurity, marketing, and best execution, for example, means that chief compliance officers should proactively ensure that compliance best practices are woven in to those functions.
Regulators are embracing technology as well, not only in fostering fintech innovation, but also in ensuring that their own regulatory capabilities stay abreast of the growing torrent of financial information. This too raises the bar on compliance. With regulators increasingly applying advanced analytics to firm communications, transactions, and other data points, the internal audit function of financial institutions will be under increasing pressure to keep pace. Larger firms with sizable technology budgets are generally well positioned to respond accordingly. Small and mid-sized firms with more limited resources, however, will be forced to prioritize and to invest additional effort up front to establish a regtech strategy. In doing so, it will be critical to start by looking broadly at workflow, data handling, processes, and training—and only then to determine which technological fix makes for the most complete solution.
An institution operating in a single jurisdiction that tailors its compliance program to that jurisdiction may find itself ill-prepared if it decides to expand operations into an area with more stringent requirements.
The Ripple Effects of Resource Constraints
Just as many firms face resource constraints and must therefore set priorities, so it is with regulators. This is true of all jurisdictions, but particularly so in the many geographies where the regulatory infrastructure is still maturing. Consider that for every piece of legislation that is turned into a regulation, the regulatory agency needs to write, revise, and finalize the regulations; establish a framework for assessing compliance; and create a monitoring and testing process that has teeth but acknowledges that different institutions will be at different points in their development. Faced with those hurdles, a jurisdiction that is still strengthening the effectiveness of its anti-money laundering controls, for example, may have no choice but to postpone establishing appropriate cybersecurity regulations.
This situation affects institutions of all sizes. An institution operating in a single jurisdiction that tailors its compliance program to that jurisdiction may find itself ill-prepared if it decides to expand operations into an area with more stringent requirements—not to mention that it leaves itself vulnerable if it matches its risk mitigation efforts to compliance standards that can be outmaneuvered by more sophisticated bad actors.
But even those institutions with the expertise, resources, and technology to adopt global best practices are affected. The global nature of the financial sector exposes larger institutions to risk when they collaborate with local institutions where regulations are still maturing. There is a broader concern as well: An attack on any point in the financial system has the capacity to undermine public confidence in the larger infrastructure.
In the environment in which today’s financial services firms operate, complying with regulations is only a starting point. Considering regulatory developments in their larger context can provide important insights that allow firms to more accurately recalibrate their risk management strategies.
Compliance and Regulatory Consulting
Local and global compliance expertise for the financial services industry.
Kroll Cyber Risk
Kroll's award-winning cyber experts can help clients in every step of the way toward cyber resilience.
Comprehensive support for asset managers registering in the U.S.