IMPACT ANALYSIS: Risk and Compliance under a Digital Transformation

What does digital transformation mean?

Digital transformations within an organisation usually starts with an ambitious vision, and many issues in risk and compliance need to be considered to make the vision a reality and create value for the organisation and protect consumer interests.

Digital transformation is about how an organisation can use technology to better inform their customers or improve their competition in the market.  The “transformation” may involve a whole shift of the organisation in leadership, culture, business challenges, confronting internal vulnerabilities, improving risk and compliance imperatives, acquiring specialised or skilled staff and keeping abreast of diverse regulatory changes. Digital transformation does not only mean that technology initiatives are improved rather, it is building a business model for the future and hopefully creating a unified compliance culture to manage and address the various business challenges and risks.

Building customer satisfaction within the business

Essential to any digital transformation project is ensuring that the organisation is obtaining the right data and proper processes to make sure that better customer support and exposure in the market is obtained.  Any transformation is intended to improve a range of attributes within an organisation from ensuring better customer satisfaction to opening new markets, selling new products and services or enhancing core competencies within the existing business. 

Leveraging Technology, Compliance and ATO Concessions

The benefits of the digitalisation

Thomson Reuters Regulatory Intelligence published its Fourth Annual Report on Fintech, Regtech, and the Role of Compliance.  The report concluded that many synergies will be gained from the effective implementation of new technologies, but numerous challenges must be overcome before potential benefits can be realised.  Investment continues to be required in skills, system upgrades, and cyber resilience before firms can deliver technological innovation without endangering good customer outcomes.  The complication to this is, that all businesses are in a competitive environment and need to innovate whilst at the same time, balance competitive threats with appropriate due diligence, risk and compliance imperatives. Firms need to ensure that their Risk and Compliance issues have been thought through.

Why Risk and compliance needs to be part digital transformation

Risk and compliance issues will be relevant to all organisations in transformation even if organisations have different business models. Digital transformation may tempt businesses to “go first to market” before competitors emerge and before the risk and compliance issues have been ironed out.  In this regard, organisations can learn from the mistakes of others who have rushed digital innovations to the market without paying attention to the risk and compliance components that under-girth the transformation.  Some organisations have been blindsided by the business opportunities and have failed to pay attention to detail and exposed themselves to significant regulatory penalties in the multi millions, losing customers, shareholder value, market share and the competitive edge in the process.

Risk and compliance challenges

With digital transformation, comes various compliance and risk challenges.  According to the Thomson Reuters Cost of Compliance Report 2020, the top three challenges for compliance teams are keeping up with regulatory change, budget and resource allocation and data protection.  Digital transformation will require organisations to have a unified cultural compliance approach as they develop new technologies. The report points out that although organisations may have a competitive advantage and have used precious funds in doing so, this can also provide a false sense of security where organisations do not understand their internal vulnerabilities.

Digital transformation is not only about the technological initiatives or the keeping of data, but rather it is creating a holistic model for the future and culture, risk and compliance will play an important part to ensure an organisation’s longevity.  Some of the issues for organisations to consider include the following:

  • Culture and conduct risk
  • Increasing regulatory burden
  • Budget and resource allocation
  • Data protection
  • Cyber security
  • Senior management liability
  • Outsourcing
  • Regulatory convergence

Cultural and conduct risk

The main issue confronting organisations is to create a unified compliance culture.  The consideration of culture and conduct risk has become the new normal.  These expectations have been articulated in numerous regulatory speeches and are inherent in the approaches to the senior management accountability regimes.  According to the Cost of Compliance Report, last year, 34 percent of firms surveyed said that they had discarded a potential profitable business proposition due to culture or conduct risk concerns. A firm choosing to avoid a potential profitable activity when they have considered they have not put in place proper risk and compliance procedures is a powerful demonstration of culture and risk policies working. 

Embedding regulatory change is a challenge for every organisation’s culture.  The task of instilling the culture of compliance remains a constant problem for compliance teams.  The question for organisations is how to embed a compliance culture.  Boards and senior managers should ensure that there are clear policies and procedures, training and development, and monitoring processes in place.  Culture should be articulated by the Board and senior management and be reinforced by suitable award, recognition, and disciplinary procedures.  Getting culture “right” may need a change of management mindsets and individual opinions to ensure the shift to corporate values. It is a task that is always ongoing and development.

Conversely, there are many examples where large organisation’s have overlooked basic risk and compliance components to rush a new technology application to their consumers without thinking through all the compliance issues only to be met with compliance catastrophes costing the organisation multi-millions of dollars in regulatory fines. When reviewed often the culture of these organisations was to put “deals” before integrity and organisational interests were put before the interests of customers. There are many examples were organisational culture has failed and CEO’s have lost their positions as a result of it. Getting culture right is paramount for an organisation’s longevity.

Increasing regulatory burden

Regulatory change was reported in the Thomson Reuters Cost of Compliance report as the top compliance challenge for 2020.  There is no doubt that organisations are concerned about the growth of regulation and the increased regulatory burden on their staff.  In 2019, Thomson Reuters Regulatory Intelligence captured 56,624 regulatory alerts from more than 1,000 regulatory bodies, averaging 217 per day.

The important point is not to be overwhelmed by these ongoing continuous changes. It is important to concentrate on the risk and compliance framework that your firm needs and understand the requirements. There are effective tools such as Thomson Reuters Regulatory intelligence that can provide regulatory updates and training that allow, staff to concentrate on the day to day risk and compliance operations.

Budget and resource allocation

Organisations need to ensure that there are budgets and resources available to create a unified compliance culture by employing and retaining appropriately skilled staff to deal with regulatory changes and/or to improve procedures and risk management frameworks within the organisation.

Firms undertaking digital transformation, should consider placing greater emphasis on ensuring that they have adequate resources and skill sets to deal with the risk and compliance at hand and the various flow through stages into the market.

Data protection

Data protection is a vital challenge for organisations and an increasing challenge to many organisations as a result of the greater number of firms dealing with customers online through applications and web-based technologies, which means that firms need to keep pace with fast moving technology for information and transactions. With increased data flows internationally and big data comes more emphasis on data security. Regulators have put firms on notice about their need to fulfil their responsibilities and there are significant fines where data breaches adversely affect customers. Digital transformation must ensure that there are proper procedures in place to collect, secure and transfer data.

There is also the issue that there are many different data protection laws internationally, that can cause confusion when customer data is being transferred from one jurisdiction to another and in many circumstances, there is an overlap of laws adding to the confusion. There are also issues where data is stored in “clouds” and how regulators can access the data. Although the European GDPR has been a blueprint for regulatory reforms it has strict requirements and high penalties. The Asia-Pacific region and the United States have gone their own way in drafting data law. What is required is practical harmonisation of data protection laws and more flexibility. Regulators are aware of the issue, but reforms may be along time off.  

Cyber security

Cyber security remains of paramount importance as firms embark on the pathway of digital transformation in various forms.  In February 2020, the European Systemic Risk Board published a report which estimated the total cost of cyber incidents for the world economy in 2018 could reach up to US$ 654 billion.  Organizations in the United States spend more than ever to deal with the costs and consequences of more sophisticated attacks— the average cost of cybercrime for an organization increased US$1.4 million to US$13.0 million.  Large organisations in the US are predicted to spend $12.6B on cloud security tools by 2023, up from $5.6B in 2018.

In the Financial Stability Board (“FSB”) report Financial Stability Implications from Fintech, emphasised the need for organisations to focus on incorporating cyber security in the early design of systems and increase financial technology literacy, to help lower the probability of cyber events.

What is the answer to the growing cyber threat? A recent IMF paper emphasises that supervision activities to build resilience is part of the answer. Increased supervision applies to supervisory/regulatory agencies and firms need to build their own self-resilience and need to consider the following in dealing with the cyber threat:

  • identify the threat landscape;
  • map the cyber and financial network;
  • create coherent regulation;
  • conduct supervisory assessment;
  • establish formal information sharing and reporting mechanisms;
  • provide adequate response and recovery;
  • ensure preparedness of supervisory agencies.

Proper cyber resilience is a must, if organisations want to deliver technological innovation and ensure that they do not endanger customer outcomes.  Firms can bolster their defences by seeking to ensure organisational confidential files and client data are securely and readily backed-up in a remote connected back-up or storage facility.  Firms need to assess frequently the types of cyber attacks that they are susceptible to and ensure that they can protect the organisation’s information in the event of an attack.

Senior management liability

Technology and its failures or misuse is increasingly being linked to the personal liability and accountability of senior managers.  As previously outlined, there are several examples of CEOs and senior managers  from major institutions who have lost their positions because of “rush to market mentality” and have been held accountable for major failures in technology that put customers at risk, caused reputational damage, significant fall in the share price to the company – all attracted multimillion dollar regulatory penalties.

Regulators internationally have introduced personal accountability regimes to drive better risk aware standards of behaviour and ensure that senior managers are now “on the hook” in the event of serious compliance failures and are now enforcing the law.  Compliance managers and senior individuals are on notice that they can be held accountable.  Senior individuals need to ensure that they focus on culture and conduct risk issues. This means that in digital transformation scenarios, if products with compliance weaknesses are rushed to market to the detriment of consumers or data breaches, then senior managers may face regulatory penalties and lose their positions.

Senior individuals can manage their personal liability by keeping abreast of regulatory changes, knowing exactly how they are responsible at any point of time, ensure that their activities in their areas of responsibility are structured and tested.  The Cost of Compliance report emphasises that senior managers need to ensure that there is comprehensive record-keeping in relation to products and the discharge of their relevant obligations can be demonstrated.  More than 58 percent of respondents surveyed for the report expect the personal liability of compliance professionals to increase in the next few years.

Outsourcing

With the development of new technology and flexible working practices, there is a marked increase in the number of firms which have outsourced important components of their business including compliance functions.  Outsourcing is seen as a good way of leveraging expertise and skills from already over-stretched organisational budgets.  It is estimated from Thomson Reuters surveys that more than 34 percent of firms in the finance industry, are now outsourcing all or part of their compliance functions.  Other areas of outsourcing include auditing, third party due diligence, enhanced due diligence, anti-money laundering monitoring, KYC processes, staff training, and client onboarding.

Firms have to be cautious when they outsource and in particular, the outsourcing of technology is seen as a risk with the use of Cloud services.  Regulators internationally have issued guidelines in this area and the level of regulation increased where firms got it wrong.  There have been several high-profile cases where firms have been fined over USD2 million for failing to manage outsourcing properly in relation to data protection and the outsourcing of fund administration activities.  Organisations and their compliance officers need to ensure that they have a line of sight over all the out-sourced functions and keep agreements under review.

Regulatory convergence

It goes without saying that there are real challenges for regulators. Financial regulators and supervisors can be drivers of, or brakes on, any digital transformation. Digital transformation factors in compliance, does not tend to factor in regulatory risk.   As firms embrace widespread digital transformation projects, regulators will need to be on the front foot and respond to innovation with more practical solutions that hopefully includes greater international co-operation in setting down and establishing regulatory frameworks.

Additionally, it may take time or even years for regulators to see problems arising from digital transformation. For example, some big data analytic models make it difficult for regulators to assess robustness of the business models or the new unforeseen risks to determine whether market participants are fully in control of their systems or if consumers are at risk.  In one example, a major bank introduced a digital funds transfer platform that failed to incorporate basic regulatory requirements set out in money laundering legislation.  The regulatory breaches took three years to identify and by then the bank was responsible for many thousand individual breaches of the law and is now facing a multimillion-dollar penalty.

Regulators may need to prioritise areas for international co-operation and harmonise laws to ensure jurisdictional consistency and prevent convergence. For example, if data protection and cyber security regulation is not harmonised internationally, it may limit investment into many jurisdictions and in the long-term, impede the potential benefits of digital transformation.  Regulators in the future will have to be more agile and focused on outcomes as traditional business models fall away as next generation technologies are implemented.

Concluding remarks

There is a clear consensus that the next 5 to 10 years, many businesses will be involved in digital transformation.  There will be benefits and greater efficiency and better use of data to support business operations if the associated compliance and risks are properly managed.  However, organisations and regulators need to keep abreast of the evolving risk and compliance issues.  We must all strive to understand that increased speed in analysis and execution from the inundation of data, consumer information, technology, algorithms, should not come at the expense of the rigour in managing compliance and risks or at the expense of protecting consumers who are sometimes forgotten with the fast moving inovation.

Niall Coburn is the Regulatory Intelligence Expert at Thomson Reuters in the Asia-Pacific region and a Barrister at the Queensland Bar.

As an expert on regulatory issues at Thomson Reuters, Niall writes articles, white papers, gives presentations in the region and liaises with the banking industry internationally concerning regulatory developments in the Asia-Pacific region.

Prior to joining Thomson Reuters, he was the regional Managing Director at FTI consulting, responsible for leading its Regulatory and Forensic Investigation Practice in Australia. FTI is a global consulting firm listed on the New York Stock Exchange with 500 offices worldwide.

Niall was also a Senior Lawyer and Specialist Adviser at the Australian Securities and Investments Commission. In this role he led high-profile investigations into complex corporate crime cases. He has also worked internationally, being part of a team that created the regulatory structure for the Dubai International Financial Centre (DIFC).

Niall was appointed Director of Enforcement at the DIFC in 2003 and worked with international law enforcement agencies to combat financial crime.

Niall has also worked in the Asia-Pacific region in his own consultancy, Coburn Intelligence in China and Hong Kong, investigating major frauds and misleading conduct in the investment industry.

Niall was awarded an Australia Day Honour from the Commonwealth Government for his work leading major criminal investigations at ASIC. He is a Barrister of the High Court of Australia and a member of the Queensland Bar Association and the International Bar Association.

 

Subscribe toTax Insight

Discover best practice and keep up-to-date with insights on the latest industry trends.