For the past two decades, the financial services and financial technology (fintech) industries have entertained, incubated and often discarded various new-and-improved solutions that claim to transform the way they conduct compliance risk management.

Its member companies have been on the receiving end of a litany of buzzwords over the years in the form of proposals that promise to bring these functions into the 21st century. As we reflect now, nearly a quarter of the way through that century, it is still difficult to find organizations that have “figured it out,” with many struggling to adhere to some key fundamentals. 

Startups and smaller financial services and fintech companies do not have the budgets for large-scale overhauls or investments in cumbersome compliance technologies. Larger and established companies also struggle with shaking up the status quo due to entrenched interests, inertia and skepticism over how these proposed methodologies would result in real change. Compliance departments are generally dealing with the same challenges they dealt with 20 years ago. They are buried in manual backlogs and seen as the perpetual naysayer. 

While the truth is no single unified methodology exists that can perfect compliance risk management, there are certainly ingredients that can mitigate common vulnerabilities. These vulnerabilities often manifest into the usual complaints, no matter the size of the company: Compliance is too slow, too expensive, thwarts the business or catches bad actors with the effectiveness of a sieve. The degree to which these issues take place, however, can be addressed with straightforward principles that are often neglected or forgotten. 

For newer companies, business growth is critical to staying alive. Compliance is frequently not a top priority as risk tolerance levels are often higher. Often, Compliance may be the responsibility of a very small number of people, or sometimes just one individual; in some cases, that individual may focus on compliance only part-time if they wear other hats in the company, such as general counsel or head of risk. Thus, it is important that such principles do not require investments that hamper growth, but rather add value to the company by increasing confidence in the offering. These companies’ older brethren can benefit just as well from prioritizing these five fundamentals.

1. Build healthy relationships with Business Units, Product and Engineering.  
There is no formal methodology to facilitate effective relationships between Compliance and Business/Product/Technology/Engineering (business) professionals so they feel like they are on the same team. This is an art, not a science, entirely about soft skills. At its core, this relationship is a two-way-street: The business needs Compliance’s input and approval on new products and initiatives, while Compliance needs business and technology support as well as resources to develop its own infrastructure and capabilities (which, in a perfect scenario, improves the business’s bottom line). Especially in startups, where Compliance is not necessarily the top priority, the onus falls on Compliance to help the business realize they are all working toward the same goals — the success and protection of the company and its customers. 

Even if a formal Product Compliance function has not been established, it can be a major advantage if Compliance can hire professionals who have business and technology experience, as they understand the challenges those in Product and Engineering organizations face. These individuals can foster positive, working relationships by joining product meetings, communicating the prioritization of Compliance’s requests, suggesting approaches that tackle multiple issues or asks with one solution, grouping requests into must-haves and nice-to-haves, and by considering cost and ease of implementation when performing vendor due diligence, in addition to just measuring the comprehensiveness of features offered.

2. Develop ongoing processes to determine when a regulatory change impacts the company.
While much of a nascent Compliance function’s effort is spent on the day-to-day activities such as alert clearing and Product Compliance, one of its critical responsibilities is to quickly identify regulatory changes in relevant jurisdictions and determine how these events impact the company. 

Sometimes referred to as regulatory mapping or regulatory change management, industry frameworks on this topic can get rather cumbersome; however, these can usually be boiled down to four key steps:

• Detection: Compliance must have the ability to detect when a regulatory change takes place. 
• Assessment: Compliance must assess whether and how the company’s processes and products are subject to a subset of the trigger’s requirements. In the absence of regulatory monitoring services and an expansive, hierarchical mapping between regulatory rules and company processes, these first two steps require assigned professionals who have solid knowledge of a jurisdiction’s regulatory environment as well as the company’s products and services. 
• Remediation: Once impacted processes with regulatory compliance risks are identified, mitigating controls must be designed and implemented. Compliance should maintain a running record of how each compliance risk is mitigated by manual or automated control(s). 
• Testing and Monitoring: Lastly, these controls must be periodically tested, to ensure they function properly and are monitored as part of ongoing work to determine if the controls identify any issue that needs to be further addressed.

3. Document processes for internal reuse and audit readiness. 
While it sounds simple, many companies, mature ones included, do a poor job of documenting Compliance processes and methodologies, despite the enormous payoffs. Creation and maintenance of a simple document library with clear owners over each process is all that is required. Two key benefits to effective documentation include:  

• Whenever investors, partners, internal or external audits, annual risk assessments or regulatory reviews require information, it is readily available and reusable.
• When the company experiences turnover, which is inevitable, such documentation will help prevent the need to reinvent the wheel.

4. Assemble a team of doers and thinkers. 
Achieving a balance of the right talent is a goal that every organization tries to perfect. One way to think about this balance for the Compliance function is to develop a blend of people who focus on day-to-day tasks (such as onboarding, monitoring, alert clearing, and suspicious activity reports) and those who focus on the long-term strategy of the Compliance function. Both are needed, but if the scale leans too much to the former, then potential improvements and efficiencies may not be realized, or even ideated. If the scale is heavier with the latter skillset, work and backlogs will continue to pile up. 

Building a blended team will allow for professionals who have experience performing and executing their specific compliance tasks — such as writing policies, performing KYC, setting thresholds, conducting monitoring and tuning, etc. — and professionals who have experience with cost-benefit analyses, who are always questioning whether there is a faster, cheaper way to achieve the same goals, either through technology, threshold modifications, merging similar processes, or partnering with other functions.

5. Perform tooling cost/benefit analysis. 
Lastly, there are an endless supply of technology and tooling options for companies to choose from to help lift their teams out of the abyss of repetitive, manual and menial tasks, ranging from in-house and vendor choices, from bespoke to out-of-the-box options, from single-issue solutions to broad multi-dimensional platforms. However a company narrows down its list of candidates to help tackle a specific problem or set of problems, it is important to project the payoff of such an investment. 

Institutions, both big and small, often overpay for mammoth platforms they do not need, have time to maintain, or are even fit-for-purpose. Just as frequently, they withhold up-front investment in instances where a solution can provide a serious competitive advantage and add to the bottom line over time. When conducting these cost-benefit analyses, it is important to consider up-front costs, including both one-time implementation and labor costs, as well as ongoing costs to maintain the given technology, whether it be licenses, Engineering, or both. 

It is also important for the Compliance team to consider and incorporate variables that will change over time on both sides of the equation, such as the number of internal users or external customers. The most difficult part of these analyses, however, is not in calculating the costs, but the benefits. Convincing business leaders to make investments based on “improved efficiency” will not be good enough, especially at a startup.  Compliance professionals should think about if the solution will ultimately speed up the onboarding of customers, free up engineers’ or Compliance professionals’ time, or more accurately catch bad actors, translating into real revenue increases and cost savings. Putting real dollars against these expected benefits will go a long way in helping the business see the light, freeing up Compliance manpower to use its brainpower.

In conclusion, if both fledgling and mature Compliance programs are looking for ways to gain an edge without much investment, pursuing the five objectives above may yield some impressive returns for the company. Even if the above goals seem obvious, they are not usually performed well consistently, so focusing on them may have an outsized impact given their relatively little upfront costs. There is no better way for Compliance to ingratiate itself with the business than by prioritizing inexpensive, common sense game-changers over unnecessarily complex frameworks and systems. 
 

Contact the A&M Team Today

Contact Us