Compliance and Risk Management Vigilance in the Era of COVID-19

Since the 2008 financial crisis, substantial resources have been allocated to risk management and compliance functions as financial services firms have sought to ensure compliance and financial stability and strengthen operational resilience plans.

In January 2020, the general expectation among compliance experts at these firms was a continuation of 2019 trends such as higher resource costs, lower tolerance from regulators for unresolved compliance issues, and continued challenges of managing a culture of compliance. Some firms were more prepared than others to address these trends, but few would have predicted the economic disruption, staff dislocations, and specific types of new risks resulting from the global pandemic.

Given the current state, four areas have emerged that need special attention in 2020-21:

  • Enhanced cybersecurity due to new vulnerabilities and persistent attacks
  • Transition to digital regulatory reporting to ease the resource burden
  • Elevated compliance awareness and training for management and staff
  • Increased outreach to regulators

Addressing all these areas with equal effort in 2020 may feel overwhelming. Instead, consider ranking the relative priority of each area based on the current status of your organization’s risk management and compliance programs.

Risk Management and Compliance Status Categories

1. All-Stars: Successfully implemented all requirements from the recent waves of regulations and are adequately staffed to manage the associated monitoring and reporting for the foreseeable future.
2. Honorable Mention: Have partially implemented applicable regulatory requirements but are adequately staffed to complete the work and manage the future workflow.
3. Yellow Alert: Have partially implemented applicable regulatory requirements but are unable to find appropriate resources given budget constraints.
4. Red Alert: Have major gaps in implementing critical regulations and are at risk of incurring severe penalties and reputational damage.

Priorities Matrix

Maturity Level Cybersecurity Digital Regulatory Reporting Internal Compliance Awareness Regulator Outreach
All Stars 1 2 3 4
Honorable Mention 1 4 3 2
Yellow Alert 3 4 2 1
Red Alert 3 4 1 2

 

Congratulations if your firm is an All-Star, but you don’t have time for celebrations or complacency. You are among the firms that are best positioned to invest additional time and resources in enhanced cybersecurity, which is an immediate defensive need due to the extended period of staff working remotely and increased attacks that can put firms at risk.

As an All-Star, you are also in a good position to become an early adopter in digital regulatory reporting (DRR). DRR is a relatively new concept that would minimize the labor and errors in preparing complex reports for regulators.

Firms in the Honorable Mention category should also consider a defensive investment in enhanced cybersecurity so that you are not subject to vulnerabilities that could wipe out the good reputation you have developed internally and externally.

The next priority for Honorable Mention firms should be increased outreach to regulators to proactively inform them of progress on open compliance projects. Traditionally, regulators have been difficult to engage due to their time constraints and have had a low tolerance for delays in compliance. However, that attitude has shifted in the era of COVID-19. For example, earlier this year, the New York State Department of Financial Services (DFS) extended deadlines by 45 days for cybersecurity certification and anti- money laundering (AML) monitoring.

If you are a Yellow Alert firm, reaching out to the regulators with more frequency should be considered a number-one priority. While greater tolerance for delays is not guaranteed, recent evidence suggests that you may find some flexibility if you are in touch and can demonstrate that you are actively working towards the objectives. Your next priority might be cultural awareness within the firm, particularly among senior managers, so that you can receive the budget and support you need to fulfill the regulatory challenges.

Finally, if you are a Red Alert firm, your first priority should be to educate senior management about the current situation and corresponding risks before your shareholders read about a violation on their favorite internet news site. For instance, on July 20, 2020, the SEC fined a large financial firm $10 million “to resolve charges that it circumvented the priority given to retail investors in certain municipal bond offerings.” The SEC reported that this practice had been persisting for four years without resolution.

Yellow and Red Alert firms need immediate help with resources, which will be less costly for the firm than fines and a tarnished reputation. In the recent report on “Cost of Compliance: New Decade, New Challenges,” Thomson Reuters Regulatory Intelligence noted that in troubled times, firms need a well-resourced, highly skilled compliance function more than ever. Furthermore, if possible, they should consider investing in skills at all levels, in operational resilience (particularly in terms of IT infrastructure) and in embedding your approach to culture and to conduct risk.

At Mediant, we stay at the forefront of the regulatory landscape, and continuously adopt changes into our processes to support our clients. Our MIC technology platform reduces regulatory and financial risk by providing operations and compliance professionals with 24/7 access to centrally view, create and manage all investor communications (IC) jobs and distributed documents, and efficiently execute all aspects of IC programs. By leveraging real-time data, compliance and risk managers can monitor compliance with regulatory requirements in detail and address potential risks before they materialize.

For additional information, contact us.