A new regulatory equation: (principles-based regulation + risk-based compliance = a new deal)

January 3, 2007 — For those of us with long memories in the UK, the move towards principles-based regulation does not initially seem to warrant the kind of headlines that the Financial Services Authority attracted a few weeks ago. In fact, Dan Waters, director of the retail policy division at the FSA, points out that principles-based regulation has been with us since the days of the Securities and Investments Board. Others will recall that banking regulation in New York and London involved just one simple statement: "You should be prudently managed and sufficiently capitalised".

But something new really is going on, in the US as well as in the UK. This article sets out to define the new deal, its origins in the Basel Accord and its consequences for compliance departments.

Waters laid the groundwork for this in the same speech and he is worth quoting: "The point of more principles-based regulation … is to encourage a thoughtful and individual engagement by senior management and firms with the core of what regulation is trying to achieve ... Life changes, firms and their business models change, the implications of the principles and high-level rules in the day-to-day life of firms change too. MPBR is about thoughtful, challenging engagement, firm-by-firm, with fundamental regulatory questions. There is no rulebook, however long, that could contain the answers to these questions." Regulators are indeed tired of shutting the barn door after the horse has bolted.

Have confidence in information

Hank Paulson, the US Treasury secretary, told the Economic Club of New York in November: "Our rules-based regulatory system is prescriptive, and leads to a greater focus on compliance with specific rules. We should move towards a structure that gives regulators more flexibility to work with entities on compliance within the spirit of regulatory principles." He was not just talking about the Sarbanes-Oxley Act.

December's announcements from the Securities and Exchange Commission were prefigured by his comments. Perhaps the least surprising climb down in the history of regulation, barring the Gramm-Leach-Bliley Act 1999, saw the SEC making it clear to public issuers that the standard of internal control evaluation required when making a Section 404 attestation is not dependant on the vast machinery of box-ticking that most Sarbanes-Oxley programmes represent.

The intention was always that management should have more confidence in the integrity of the financial information they report. The reality is that management focuses attention on processes to defend themselves from the consequences of error in financial statements and not on addressing the risks to the integrity of those statements. The key here is encouragement to prioritise: if management cannot focus attention on things that present the most risk then they cannot manage.

Recent speeches from the SEC, Federal Reserve Board and the Office of the Comptroller of the Currency are focusing on the ability of brokers, banks and asset managers to incorporate the wider regulatory agenda into their risk management process. Treating customers fairly initiatives have not appeared yet, but this is real evidence of convergence and Paulson's remarks should be seen as recognition of what is already happening. The principles-based approach is increasingly seen as a quick and less painful shortcut to getting players in the financial system to address regulatory concerns. After all, does a one-size-fits-all approach — tick these boxes, no matter how irrelevant they seem and you will be safe — work for anybody?

Cost savings cannot be the attraction: John Tiner, the FSA's chief executive, says that reducing the size of the rulebook, and of the staff maintaining it, reduces the cost of regulation. Even the FSA acknowledges, however, that in the absence of detailed rules and strong industry guidance it is imperative to help firms maintain standards — and that costs money. Anti-money laundering is a prime example; the Joint Money Laundering Steering Group does great work, but it is not a free gift to the industry.

This is not really about cost. It is about effectiveness and aligning the regulator's concerns with the interests of business management. By becoming risk-based, as the SEC will advocate, Sarbanes-Oxley will not die, it will just become better business value and therefore become absorbed into business management. Perhaps a better word than "principle" is "outcome"-based regulation and its corollary is sound risk management and business decision making within firms.

Three little principles

Regulators always seem to care about the same three things:

• confidence in the financial system
• a fair deal for customers and other users of the market
• stopping the financial system from being used to assist criminal activity

This is a big agenda, so big that no regulator could originate and maintain a one-size-fits-all set of requirements for all firms. Arguably the first objective is so important as to outweigh the others combined.

The Basel II experience is hard to ignore when dealing with this. Through the Basel accord process regulators have developed an approach to "safety and soundness" regulation that has taken deep root internationally. They look at the models for market, credit and operational risks to the balance sheets of regulated firms and the ability of management to use that information in running their business. When looking at these risks regulators would be considered insane if they created a "tick-box" mandatory approach for all firms, irrespective of size and complexity. As firms innovate and raise their standards then the regulator can raise the bar by making sure that the industry as a whole has guidance.

So if it is about risk and senior management, what is the "new deal" that the regulator must offer for the outcomes-based approach to work? The key to this is enforcement. John Tiner confirmed in writing to the JMLSG chairman on firms' AML programmes: "If a firm demonstrates that it has put in place an effective system of controls that identifies and mitigates its money laundering risk, then [enforcement] action [by the FSA] is very unlikely."

What this is really saying is that even in a well-controlled firm, isolated rule breaches will occur and the FSA has no interest in pursuing firms that suffer them despite managing their affairs responsibly. Now it was ever thus: most compliance officers would always look to run the "isolated incident defence". What is new here is the clarity as to the conditions that must prevail beforehand. You will see this in the FSA's CF pronouncements in the JMLSG's recent guidance and in numerous speeches by Susan Schmidt Bies and Mark Olson, governors of the Federal Reserve Board. The compliance department must function in a way that is similar to other more mature risk management functions: deriving risks from an integrated view of processes and data, scenario modelling and being able to drill down from those risks to the underlying information that fed them.

Think of it in these terms: if the head of the emerging markets business in an investment bank seeks a significant expansion of his business, market risk can supply management with a real-time view of the value-at-risk in the current business. This can be reviewed against the new business plan and any parts of the portfolio particularly affected (Russian corporate bonds, for example) can be picked out and reviewed in detail. There is certainty about what market risk models should look like and the information that must be pulled together and crunched to feed them. This is not easy when the risks are qualitative not quantitative: compliance risks are essentially reputational.

Compliance departments do not enjoy the same certainties in terms of risk models; the information they must use is disjointed and held in systems, filing cabinets (and the compliance officer's head). Apart from being inefficient, this means that when confronted with the same request from emerging markets, compliance has to dig out its last essay on the subject (how useful is that when making the decision?).

Three steps to compliance

So what are the challenges facing compliance departments if they are to take up the regulator's new deal?

First, compliance departments must provide management dashboards on compliance activity to support better business decisions and to direct risk mitigation. A methodology for setting risk appetite should be adopted: e.g., a scoring system that looks at the current impact/probability of failure in a regulatory theme and then prioritises compliance resources to drive the business to a target score. These continued conversations with management about risk appetite and profile underpin risk management. Secondly, such dashboards must be up-to-date and present the risks derived systematically from compliance work, not haphazardly as a monthly exercise.

They must allow compliance work to be redirected in risk mitigation. To do this in a large complex firm, the different processes and data that represent compliance work (from responding to regulatory proposals to training to monitoring and investigation) must be mapped and captured electronically. This is not a five-year programme of change but something a dedicated compliance software programme should begin delivering in months. Thirdly, compliance departments need to organise their presentation of risk and their underlying compliance programmes to reflect complex organisational structures. Senior management could be operating at legal entity, product-line, country or group level. Being able to map the organisational structure and slice and dice data as required is therefore an integral part of a system that supports a global business.

By integrating compliance work and exposing it to sound risk management, compliance will be armed with the information it needs to better direct compliance activity. Compliance departments can be far more efficient and agile. The crucial benefit of this is quite simply competitive advantage; the more a firm can demonstrate its capacity to manage risk, the more it can be allowed by a regulator to accept it.

Author Biography:

Kevin Ludwick is the head of regulatory services at Qmas. Kevin joined the FSA in 1999 supervising all major European and Japanese financial institutions in London. He subsequently ran the Listing Review and was responsible for negotiating relevant EU Directives and revising the UK Listing Rules in parallel with Sarbanes-Oxley in the US. Further, he created a single supervisory function for the new Markets Division and built the FSA's centralised regulatory decisions function. Prior to joining the FSA, Kevin was the head of compliance for Bank of America EMEA, running a compliance function that operated across 11 jurisdictions, and was the former finance and compliance director for Indosuez Capital.

© 2007 Complinet Ltd and its contributors. All rights reserved.
Complinet accepts no responsibility for advice or information contained on this site although every effort is made to ensure its accuracy.
Users are advised to seek independent advice from qualified persons before acting upon any such information.
Complinet Ltd is registered in England. Registered office at Vintners Place, 68 Upper Thames Street, London EC4V 3BJ. Company number 3170722. VAT No. 749 324 021.
Complinet Inc is a corporation registered in Delaware, USA. Complinet services are available for a free trial via www.complinet.com.