Speech by Tracey McDermott, director of enforcement and financial crime at the Financial Conduct Authority (FCA), delivered at Deloitte’s Chief Compliance Officer Event. This is the text of the speech as drafted, which may differ from the delivered version.
My brief for today was to talk about regulatory challenges and expectations and the role of compliance in helping us meet those.
In my view, the biggest regulatory challenge we have is how we, as around 3,000 people at the FCA, can effectively regulate the behaviour of around 70,000 firms and 150,000 approved individuals and many more non-approved individuals who make up one of the most significant industries in the UK. An industry where the UK has a long-established, hard-won reputation as innovators, as leaders in global financial services and, most importantly, as a place where people can have trust and confidence in the way business is done.
You don’t need me to tell you that this reputation has taken a hit in recent times as a result of both prudential and conduct failings. And that hit has been felt at all levels – from retail consumers, to institutional, to market participants, to the public and political perception of the sector. And the series of events of the last several years have resulted in unprecedented, and ongoing, change. Changes to legislation – both in the UK and internationally; changes to regulatory structure; and, importantly, a change in societal expectations and a reduced – perhaps even zero – tolerance for wrongdoing. The general public no longer sees financial services as a profession providing a vital service to individuals and businesses. And that is despite the fact that we are in increasingly challenging financial times where people are being expected to take more responsibility for their own financial planning and financial future.
In an ideal world - where markets worked perfectly and everyone behaved in a selfless way that served the common good then perhaps no regulator at all would be required. But that is not the world in which we live.
So against that backdrop the life of the regulator, and of the compliance officer, is challenging. And in a world where each member of the audience here probably has more people working in their compliance departments than we have in the whole regulator, the question we as the FCA ask ourselves is where and how we add value. What is our role in ensuring that trust can be rebuilt and that the problems of the past do not recur with such routine frequency?
In an ideal world - where markets worked perfectly and everyone behaved in a selfless way that served the common good then perhaps no regulator at all would be required. But that is not the world in which we live.
The world in which we live is one where many of the products provided by the industry are complex, often for good reason, but thus are hard for a retail consumers to fully understand; where many are long term in nature so that it is difficult for consumers to judge fairness; where consumer understanding is poor; where there is substantial consumer inertia; where consumers have behavioural biases; and where providers are not significantly differentiated and some markets are not sufficiently competitive.
And alongside that there are commercial pressures and imperatives. People make mistakes, and some people will deliberately choose to behave in the wrong way for their own personal gain or because they think that is what their firm values (a topic I will come back to later).
So, as I see it, regulators exist to set the standards to help protect consumers, promote competition and ensure the integrity of the market. We ensure that the playing field is level and we seek to hold the balance between the interests of individual consumers, the wider market and firms that participate in the market. By making our expectations clear we enable those firms that wish to do so, to do the right thing.
But our role goes beyond setting minimum requirements and standards. We also help push firms where they might not otherwise go - we are, at times, the counterweight to the market pressures that might otherwise encourage you to cut corners; […]we are able to hold up a mirror to the industry and help you to look more objectively at how what you think is normal looks from the outside.
We can also encourage good practice through our unique perspective across the market which gives us the ability to see what good looks like as well, of course, as what bad looks like. And we are here, in part, to be your conscience and your policeman – to check that you are doing what you say you will do and to hold you to account when you don’t.
And, in many ways, what I have described as the role of the regulator mirrors the role of compliance. You are, within your respective firms, also, I hope, performing those functions I have described.
Our role goes beyond setting minimum requirements and standards. We also help push firms where they might not otherwise go - we are able to hold up a mirror to the industry and help you to look more objectively at how what you think is normal looks from the outside.
And one of the ways the regulator has changed, and one of the ways that the role of compliance has changed, and should continue to change, is that our focus is increasingly not about telling people in detail what you can do or how to stay within the rules. Instead, our focus is on how we, and you, ensure that your firm does the right thing – if not every time then almost every time – not because the rules say you should but because that is ‘the way things get done around here’.
As compliance professionals you know just how tough that is. But we have a common interest in the long-term sustainability of a viable, respected and trusted financial services sector.
So our challenge - which is a shared one - is how we work together to get us to a better place, how we build on the progress of recent years and ensure we maintain momentum when memories of the bad old days start to fade.
Our expectation, as the regulator, is that you will play your part - that the reach and influence of the regulator will be magnified by the work you do within your individual firms.
But one of the biggest risks we collectively face is if we think that compliance alone is the answer. In the same way as regulators have to stop ourselves reaching for rules, you have to stop yourselves reaching for ever more prescriptive controls to try and fix deeper seated issues.
We have learned that rules alone are not the answer – the FSA rule book expanded significantly during the period building up to the crisis – but did it make people behave better? History would suggest not.
Rules, and likewise controls, are essential but they have downsides. At the extremes they encourage a culture which means that if something is not forbidden it must be allowed; they can encourage gaming - how do I take myself out of the precise situation of the control or the rule. They can absolve people of a sense of personal ownership of their own choices and make doing the right thing someone else’s responsibility.
Our challenge - which is a shared one - is how we work together to get us to a better place, how we build on the progress of recent years and ensure we maintain momentum when memories of the bad old days start to fade.
We have seen some of those risks translating into reality. Processes that are intended to reduce risks for the firm can serve to prevent any exercise of judgement at all by the frontline. And that results in the sorts of examples we hear about of customers being unable to transfer to a smaller mortgage supposedly because of the mortgage market review, or of people having to prove their identity despite having been a bank customer for 30 years supposedly because of anti-money laundering (AML) requirements.
Over-control can mean that your colleagues at the front-end of the business feel absolved of responsibility and also, perhaps more importantly, feel unable to make sensible judgements and exercise common sense about what is, and is not, in accordance with the spirit of what you, as compliance, or we as regulators are trying to achieve.
As a result, frontline staff miss things they shouldn't, treat people poorly and act in a way that abandons common sense with the unsurprising outcome that it runs the risk of delivering the wrong rather than the right outcome.
What is often termed as ‘derisking’ in the AML context is an example of this. This is a term which covers many things – from provision of services to money service bureaus, to correspondent banking, to limiting access to bank services, to new start-ups.
Now, of course, managing risk – and indeed derisking – is a normal part of a commercial business operation and many firms have done it for many years. More recently however, the impression is that many firms, partially they say in response to concerns about breaching their financial crime obligations both here and abroad, have looked at broad swathes of customers they consider too risky and have either removed their bank accounts, reduced the services they offer them or will simply not consider them as potential customers.
This can have an impact upon individual customers or make it harder for industries that, while having the potential for being misused for AML, also offer important services to their own customers.
On the other side of the coin we hear stories of long-serving customers being required to visit branches to re-verify identities or other bureaucratic processes.
Yet, despite this, as our most recent thematic review in this area shows, alongside a number of enforcement cases here and overseas, firms are still getting this wrong when it comes to the really important and really high risk matters. So BNP Paribas can transfer $190bn in breach of US sanctions. HSBC can fail to adequately monitor over US$670bn in wire transfers from HSBC Mexico. A customer claiming to be a restauranteur was able to put as much as £1.1m in to their account in the UK in a year when they expected to be turning over £20,000 to£30,000 without any questions being asked. But a new startup cannot open a bank account or your 87-year-old grandmother cannot transfer money without her passport. Something is awry here.
This is something in which we have been taking a particular interest. The AML rules are there for a good purpose and we want to see firms comply in an effective proportionate manner with them. So what do we as a regulator think about the current position?
As I’ve said before, firms must take their responsibility to reduce the risk of financial crime seriously. To do that successfully requires firms to use their judgement and common sense. That is not about box-ticking or wholesale de-risking.
It is about firms getting the basics right – understanding their customers, the risks they pose, and managing those risks proportionately and sensibly. It will be the case that some firms, having considered the customer, may still not wish to offer them a service. That is still their decision, but the money laundering risks of many firms can be - and we have seen examples of this - successfully managed. Wholesale approaches to an entire sector, or controls that allow staff no discretion to avoid the wrong outcomes, are not required by our rules and should not be required by your processes.
Now, of course, that judgement-based and more flexible approach is much much more difficult than having a blanket rule and a flowchart identifying every possible permutation of events. It means you have to rely on your staff. And to do that you must be confident about their competence, their training, their incentives. You must be confident that they understand the purpose of the rules – what they are trying to achieve and, underpinning all of that, that the culture embedded throughout the firm – and most firmly in the frontline of the business itself – is one that drives and values the right outcomes and the right behaviours. It is only when that exists that we will really achieve a sustainable, long-term model.
The example I have used is AML but the same principles apply to all sorts of other controls over other lines of business. So, stepping back from that, I think we have a shared objective: to reduce the size of compliance teams and perhaps even the size of the regulator, by ensuring that compliance is not something done alongside the business, or to the business, but is instead something which is integral to the business. Because even with the much larger resources you have, you cannot have a compliance person sitting on everyone's shoulders. A much stronger, and more commercial, proposition is one where the culture and values drive behaviour, and people are accountable for their own actions.
But of course we don't start with a blank sheet of paper. We start with history - we start with scandals and missteps, we start with large fines and larger redress bills, we start with an industry where some have progressed because they did the things we don't like and were rewarded for doing so. We start in a place where, as LIBOR and FX have shown, the loyalties of your staff may be to people outside the firm rather than in it and where people no longer expect a job for life so have less vested in the reputation of the employer. For example, according to a Future Workplace survey, 91% of people born between 1977 and 1997 expect to stay in a job fewer than three years.
We also start from a place where we have lost trust and are working hard to rebuild it, where we are still building the new cultures and working out how to meet the new expectations, and where some firms or some segments of firms still have some way to go.
The good news is that the issues we care about, commonly termed ‘conduct risk’, is firmly on the agenda. But managing this risk is hard – it cannot be hedged or managed down. You cannot easily fix an ex-ante risk appetite so we need to think of a new approach.
The other piece of good news is that we are not likely to be out of jobs soon. Until the reality at all levels catches up with the rhetoric, then managing this risk needs effective controls, effective compliance functions, and effective regulators.
But all of those should depend on judgement and a focus on outcomes. And that requires staff to see that the reality does reflect the values proudly displayed and referred to by the firms. Bear in mind that people’s role models are not necessarily the CEO or the Chairman. The role models are the people they interact with day in day out: their line managers, their team leaders, their desk leads. They will judge the firm’s values by who they see rewarded – whether financially, or in terms of reputation or promotion. If you say you want something but your actions say something else, nothing will change.
So your job in compliance is not to design new processes and controls, it is to force the board to ask the difficult questions - how do you positively reward those who highlight problems, do you take whistleblowing seriously, do you use the wealth of information from complaints to drive improvements, do you really learn from the mishaps of your peers?
And we see you as an ally in this. We want to continue to work collaboratively with you. It is important to work through the challenges together – ask us for advice, tell us what is on your worry list, and we will tell you ours.