Reducing the cost of regulatory compliance for outsource contracts, part 1

This post is a follow up on this post in which I describe the rough outlines of an approach to reduce the expenses one has to include in the business case related to ensuring regulatory compliance. This post is not meant for the average company which has to worry about SOX and standard privacy laws. This post is based on my experiences of working for a large international bank which did a lot of outsourcing, but did not know well how to translate the large amount of national and international laws and regulations into a manageable and cost effective control and monitor framework.

What does regulatory compliance cost?
A study of the Work Bank in 2005 shows that in the Netherlands, the United Kingdom, Belgium, Sweden and Norway on average 8 to 11% van the total expenditures by the government goes towards regulation of the business. Figures from the United States over 2004 indicate that there a total of 14.9% of the Gross National Income is spent on laws and regulation (11.2% on national regulation and 3.7% on regional and local regulation). In 1947 this was 4%.

The figures do not show what percentage was covered by financial institutions but research from Australia does give an indication. In this country, banks spent A$1.02 billion (€630 million) on complying to new anti-laundry and terrorism laws and regulations in 2007. This was A$50 (€31) calculated per capita. These figures combined with the increase attention by regulators and government for the financial sector means that the cost related to compliance is likely to increase even further.

Overall objective: look at compliance more from a financial perspective
The most important prerequisite to structurally reduce the compliance cost is to teach the (senior) compliance officers to approach regulation from a more business economic perspective. The typical compliance officer is used to shouting 'Federal Deposit Insurance Corporation' (FDIC) or ‘Federal Reserve Board' (FDB) in the United States or 'Autoriteit Financiële Markten' (AFM) or ´De Nederlandsche Bank' (DNB) in the Netherlands as being enough to get a new control measure implemented. Hardly ever are direct and indirect costs taken into consideration. Although it is up to a business manager responsible for a product, market or activity to implement a measure or not, the advice of the compliance officer is important in such a case.

Learning as a compliance officer to look more from a financial perspective to its work and being able to make cost-benefit analysis and subsequently talk to the responsible business manager in both risk and finance terminology is to me a key driver to a) optimize the resource usage for compliance (outsourcing or not) and b) improve the alignment between the compliance risk discipline and the business managers. The rest of the post will look more into how this overall aim can be achieved.

Sub objective one: look beyond the regulation; look at the risk
Being able to create a lean and mean regulatory compliance framework for an outsource contract starts with understanding the scope and nature of the outsource contract. Understanding it to such an extent that that compliance officer is able to:

1. Define the ‘compliance risk drivers, and
2. Define a lean and mean scope for the compliance chart

1. Compliance risk drivers
The so-called ‘compliance risk drivers’ are parameters which have a negative or positive influence on the compliance risk the organization runs related to the contract. A simple example is the maturity of a financial product. A recently introduced ´green´ investment product scores higher on this point than a standard product that has been invested on the stock exchange for twenty years. So if part of the product selling and/or administration has been outsourced is it important to know that more partner/supplier oversight is required related to this risk driver. Three other examples are the amount of personal data in scope of the contract, the maturity of the vendors’ processes and attention of regulators regarding the outsourced activities or outsourcing in general.

Weighting and then subsequently scoring the risk drivers for the portfolio of outsource contracts provides insight in how outsource contracts relate to each other regarding their compliance ‘heat maps’. The compliance officer should at the end of this activity thus have a risk profile for every individual contract plus insight in how contracts score compared to each other. This insight will later on be an important driver for resource allocation and control/monitor effort

Two attention points here: a) ensure the risk drivers are defined in an adequate level of detail to prevent the outcome of a risk assessment to be too subjective and b) the score of a risk driver changes over time (e.g. the risk appetite changes) and has thus to be updated regularly.

2. Compliance Chart
The risk profile drives the scope of the Compliance Chart which has to be created for the outsource contract. The compliance risk profile regulates the selection of relevant regulations and the underlying themes and requirements (also called ´obligations´). For example, an object can score high on a compliance risk driver called ´presence of personal data records´. In that case several themes from the Dutch Wet bescherming persoonsgegevens (Wbp) will have a prominent place in the Compliance Chart. The design of the Compliance Chart will thus consist of a minimal base set of regulatory requirements completed with specific add-ons derived from the characteristics of the risk profile.

The cost advantage is in leaving out the non-relevant regulation and in prioritizing themes and requirements that do belong in the Compliance Chart. Additional efficiency gains are captured later on when defining the control and monitoring strategy based on the lean-and-mean compliance chart.

The regulator on risk-based compliance management
Research by the Basel committee from 2008 shows that the compliance function is given an important role when managing risks. The responsibilities mentioned in Basel II have been implemented in the Netherlands within the Wet financieel toezicht (Wft) in articles 3:17 en 21 Bpr. These articles have a direct link with articles 13 of the Markets in Financial Instruments Directive (Mifid) and article 6 in which the implementation and measures are discussed: ‘Member States shall ensure that investment firms establish, implement and maintain adequate policies and procedures designed to detect any risk of failure by the firm to comply with its obligations under Directive 2004/39/EC, as well as the associated risks, and put in place adequate measures and procedures designed to minimise such risk.’

The above given quote indicates that the regulator not only expects the financial institution to implement the regulation but also that it has to comply to the regulation’s exceeding goal that undesirable activities and behaviours have to be prevented. In short, the management of the underlying risk.

The approach applied it to practise
At the compliance department of the financial institution I worked with, applying this methodology meant first of all more prominent involvement by compliance officers in new projects. This turned out to be a difficult task as outsourcing was regarded as a subject that was initiated by the business and compliance was not seen as a relevant stakeholder. The situation improved however when compliance described clearly how and when they wanted to be involved and by formally incorporating the compliance function within the project governance

At the financial institution one of the discussions was about the reputation risk that the organisation would take when an Indian supplier did comply with local Indian laws (for example concerning taxes or child labour). In other words: was the organization wide control maturity of the supplier a compliance risk driver? And if so, when would the compliance risk appetite be exceeded?

More on this subject in a follow up post.