Senior Marketing Manager
Compliance is not just a goal for every regulated industry across the globe—it’s a requirement. But what does that truly mean? A 2023 KPMG Chief Ethics & Compliance Officer Survey found that a majority of 240 chief ethics and compliance officers felt increased pressure to prioritize financial compliance and believed that the increased focus on regulatory compliance would continue for the foreseeable future.
While boards of directors and regulatory agencies were cited as the biggest sources of this pressure, investors, employees, and customers also demanded more focus on complying with regulations. It’s not just regulators that require good behavior and compliance–the general public examines organizational behaviors and values like never before.
So we better understand what we mean when we say we’re ‘compliant’, right? But is there a simple definition? Well, we could say that financial compliance encompasses all of the actions an organization takes to remain on the right side of the laws and policies that govern the financial services sector and capital markets.
But dive a little deeper, and you’ll see that there are many aspects of financial compliance, including risk assessment, anti-money laundering, and KYC. Here, we’ll explore these and examine common financial regulations and how organizations can achieve compliance.
Broadly speaking, regulatory compliance is a set of rules that defines how consumer data, medical treatment, digital assets, and even private communications must be monitored, analyzed, archived, and managed to protect sensitive information and provide people with a level of safety that society has deemed reasonable. All for-profit, nonprofit, and exempt-status organizations and their employees are responsible for complying with these rules and face consequences for any failure to adhere to them.
Financial compliance is a subset of regulatory compliance that applies to investment banks, insurance banks, stockbrokers, lenders, and all other financial institutions. For these organizations, the penalties for non-compliance are often severe and include fines, legal penalties, and the revocation of licenses that permit market trading, lending, and other monetary transactions. At the individual level, employees found guilty of noncompliance could face personal jail time.
Firms routinely conduct compliance risk assessments to protect themselves from the consequences of non-compliance. Often, to ensure impartiality, organizations outsource the assessment to a third-party firm. These firms identify, evaluate, and prioritize regulatory risks by assessing policies, training, communications, internal controls, and oversight to pinpoint potential threats.
A compliance risk assessment methodically reviews and scores an organization on its ability to meet and manage external and internal hazards. The final score measures the potential threat of exposure to future legal penalties, reputation damages, monetary fines, and material loss.
Compliance risk assessments vary widely with respect to their depth and methodology, but in general, they all follow 5 basic steps:
No matter what regulatory body an organization is abiding by auditing and assessing compliance is vital to protect the market.
Money laundering is the process of turning “dirty” money gained through illegal means into “clean” money through various practices. The money involved in these schemes may be gained through illegal activities like the sale of drugs or through financial crimes like tax evasion, bribery, theft, and embezzlement — and they may be used to fund terrorism.
Stemming the flow of dirty money through the financial system is a top priority around the world to help disrupt criminal schemes and aid law enforcement in the apprehension of terrorists and criminals.
Financial compliance face harsh consequences if they’re caught permitting transactions involving illegally obtained paper or digital currency. Among the penalties for failure to comply with AML regulations are steep fines, lengthy regulatory audits, and even restitution of funds. The latter is particularly alarming, as restitution penalties that exceed available cash on hand could force bankruptcy.
One key area of concern in financial compliance risk associated with AML is Know Your Customer (KYC), which refers to actionable steps that financial institutions must take to identify customers in order to combat money laundering. There are three components of KYC:
Due to ongoing terrorist threats and attempts to launder money to bypass international sanctions, KYC has become a key focus of financial regulators. In 2022, regulators imposed fines totaling nearly $5 billion for breaches and deficiencies in KYC systems alone.
AML is just one type of financial regulation that financial institutions must comply with, but specific requirements vary around the world. Regulations vary across the globe, so it’s important that organizations maintain compliance in the regions they do business.
In the U.S., key regulators include the Commodities Futures Trading Commission (CFTC), the Consumer Financial Protection Bureau (CFPB), the Federal Deposit Insurance Corporation (FDIC), the Federal Trade Commission (FTC), the Financial Industry Regulatory Authority (FINRA) and the Security and Exchange Commission (SEC).
A few key financial regulations establish the requirements for financial compliance, including:
Non-compliance can be incredibly costly for companies — civil monetary penalties for GLBA violations alone can range from $5,000 to $1 million per day of violation. For example, the credit reporting Equifax was forced to pay a $575 million fine in 2019 after the FTC and CFPB found that it didn’t take steps to secure its network and was therefore, at fault for a 2017 data breach.
Several key compliance regulations play a vital role in shaping the banking landscape in the EU, including:
When firms are found to be out of compliance with these regulations, the European Central Bank (ECB) can impose sanctions as well as monetary penalties on other banks for non-compliance. Those penalties are non-trivial and can reach 10% of the bank’s total annual turnover, or twice the profits or losses associated with the breach. As in the U.S., malfeasance can undermine customer confidence and severely harm an organization’s reputation.
A recent example of enforcement is the case of Meta. In 2023, the EU fined the social media company more than $1 billion for transferring users’ personal information to the U.S. and ordered the company to delete the transferred data. Had Meta not complied with this order, the EU was prepared to cut off access to Facebook, Instagram and other Meta services, which undoubtedly would have meant additional losses for the company.
Compliance management is the ongoing process of monitoring systems, communications and processes to ensure compliance with industry and security standards, regulatory obligations and corporate policies.
Due to the ongoing threat of penalties for noncompliance, compliance monitoring can’t be a one-and-done effort. Continuous monitoring and improvement are vital for protecting organizations and must take place at both the systems and employee levels to be effective.
Within the financial services industry, compliance management spans 4 interdependent components of internal controls:
In some cases, there is a fifth step involved in the workflow: Advisory. This is when the findings of the evaluation are presented to the board and management team to inform them of the predicted risk and solicit their guidance on next steps.
Detection has become a major focus for organizations over the last two years due to shifting priorities among U.S. regulators prompted in part by the COVID-19 pandemic.
When shutdowns prompted many organizations to shift to work-from-home models, many employees began using personal electronic devices and messaging apps like Signal, Teams and WhatsApp to communicate, and even as offices reopened, usage continued. While convenient, these forms of communication typically aren’t monitored by organizations, creating blind spots in compliance management efforts.
The SEC and CFTC took notice of the changes in how organizations were doing business and issued warnings that allowing unmonitored communications to continue would result in penalties. Since then, the regulators have followed through on their threats, issuing more than $2 billion in fines to those who continue to allow employees to use unmonitored communications channels. One of the most recent examples is the $125 million fine levied against Wells Fargo in August 2023. These events point to the importance
Financial compliance teams are under pressure to keep up with numerous internal and external threats to their ability to operate. The 5 biggest challenges facing compliance officers in the financial services industry are:
Although these challenges seem daunting, they are surmountable, and the goal of achieving financial compliance is attainable — after all, financial firms have long histories of achieving financial compliance and generally have only rare, episodic incidents of non-compliance.
With so many competing priorities, the best way to ensure compliance is a proactive approach to monitoring like Shield. Communications monitoring is just part of the story, but with the right partner it can protect your organization from bad actors and unwanted attention. A strong compliance framework starts with the right strategy, built on a foundation of transparency and collaboration.