Do banks calculate the cost of non-compliance every time a new regulation comes into force? You’d be forgiven for thinking that this sort of thing is a formal part of resource allocation/balancing of priorities. Well… no, not really. However, this state of affairs is understandable and the key challenges we see are:
The cost of non-compliance is very uncertain. Regulatory bodies themselves are not always clear/prescriptive when it comes to setting the cost of a contravention (though GDPR is a good recent counterexample with its two tier fine structure set at: up to €10 million, or 2% annual global turnover — whichever is higher; and up to €20 million, or 4% annual global turnover — whichever is higher)
Lack of historical precedence and rulings i.e. if it’s new, there’s no track record to fall back on
Lack of a methodology which allows estimates to be made based on overall non-compliance vs. lack of compliance against specific sections of a given regulation
The sheer volume of regulations already in place across the globe and those which are planned (this was touched upon in our previous blog "RegTech Reporting - Promising Too Much?")
Of course, the aim is to never be non-compliant so most banks just focus on getting the job done however, they often come unstuck:
~$1T+ in industry profits have been wiped out [globally] since 2008 as a result of employee misconduct. (Medici, The RegTech Report 2018)
It’s understandable why regulators will not set fines across the board. This could lead to a gaming of the system whereby banks simply factor in the cost of a contravention vs. the ability to generate margin by intentionally breaking rules. Call me a pessimist but history has proven this to be the case time and again. So, it’s highly unlikely that they will get more specific on this front.
With that in mind, banks should simply “stay close” to their regulator as they embark upon their journey of compliance and seek to establish the boundary of acceptable risk mitigation vs. unacceptable non-compliance along the way.
In addition, measures can be taken to provide estimates as a means to force board members and decision makers to take regulation more seriously. Determining costs as part of change planning can be done in a range of conventional and creative ways.
One way to do to this might be to solicit actuarial services (it’s a basic use case for them given the complex nature of most insurance pay-out scenarios). Having spoken to an actuary on this matter recently, the lack of historical data would prove to be a limiting factor in modelling the costs. However, we discussed the use of sound assumptions to model the cost of contravention, and combining that with a review of internal processes to determine the likelihood of a breach. This could be a very interesting way of giving the board a view of the likelihood of a breach vs. exposure. Further, the cost aspect can be weighted against annual statement figures and ratios (e.g. revenue, net profit and cost of capital) to give a “bottom line” perspective.
In summary, it needn’t be difficult to demonstrate this as part of the approach to achieving regulatory compliance. Look at related process maturity and use sound models to determine what the cost of a contravention could be along with it’s impact on financial statements. The industry has the data, tools and resources to do this on a formal basis. It will help make data driven decision making more of a reality and can only serve to demonstrate to regulators that banks take the matter a lot more seriously than a simple “box-ticking” exercise.
Thanks for reading and as always, comments and challenges are welcome and sharing appreciated!