Natasha Vernier
Jan 17, 2022

The Heavy Cost of Ineffectiveness

Anything less than full monitoring of controls leaves room for error - finally you can do away with manual dip sampling. Cable provides automated evidence of your compliance, risk management and effectiveness, allowing you to:

Why manually test 100 accounts when you can automatically monitor 100%?

Introduction

Regulators, international standard setters, and private sector groups have all started to talk about prioritising financial crime effectiveness over technical compliance. There is growing momentum as more people come to the realisation that financial institutions must be able to prove that what they’re doing is not just legally compliant, but is actually working to reduce financial crime.

The overall message from these organisations is clear, and it is only a matter of time before firms around the world are obliged to demonstrate the effectiveness of their financial crime controls.

Whilst there are clear financial benefits to measuring and evidencing financial crime effectiveness, how to do so remains unclear.

This series provides a deep dive into the world of financial crime effectiveness, covering:

  1. The Heavy Cost of Ineffectiveness
  2. What the Regulators are Saying About Effectiveness
  3. How to Measure Effectiveness

Download the full whitepaper

Part 1: The Heavy Cost of Ineffectiveness

Summary

  1. Building and maintaining a financial crime compliance framework costs a huge amount, and the best outcome is the absence of punishment from regulators.
  2. In the face of poor outcomes, the financial crime industry has seen a shift towards effectiveness, most keenly reflected in the increasing number of regulatory fines that mention 'ineffective controls'.
  3. Firms have ineffective financial crime controls because they don’t know what crime to look for and have inadequate testing of controls. In addition, they are unable to evidence their effectiveness to regulators.
  4. The cost of fines is only the tip of the iceberg, with remediation projects easily costing triple or quadruple the original penalty.

Do You Get What You Pay For?

They say ‘you get what you pay for’, but in the world of financial crime, that hardly seems to be the case. As all financial crime professionals know, building and maintaining a financial crime compliance framework can cost an enormous amount. People, technology - it all adds up. In return, the best response firms can expect to receive from regulators is the absence of punishment, while at worst they face censure, public criticism and ultimately fines and other forms of civil or even criminal enforcement action.

This happens to financial firms of all sizes and types and often not as a one-off occurrence. Once under the eye of the regulator, firms can end up in a vicious cycle of criticism, remediation and further investment to rectify problems. Cost piles on cost, and if this isn’t bad enough, there will be reputational and commercial damage, the costs of which can be hard to quantify.

It is easy to take a resigned attitude to these problems. Regulatory-induced costs and criticism have been dogging the financial services industry for many years. But are we really beyond finding new ways to tackle these challenges, and do we need to just keep treating the symptoms, rather than look for a cure?

Almost certainly not. At Cable, our approach has been to go back to the root cause of the problems, and ask why firms are spending so much money and getting such poor results. What we have found is that the issue isn’t about money, will, or commitment. It’s a matter of effectiveness. Not only being able to make effective financial crime frameworks, but also being able to demonstrate this to regulators.

In this three part series, we will look at the question of financial crime effectiveness from several angles: the financial impact of ineffective frameworks on firms; regulators’ growing emphasis on the issue; and most importantly, how innovative solutions can be applied to address the issue. Because there’s no reason why the industry has to live with ineffective financial crime controls - or their costly consequences - any more.

Effectiveness on the Agenda

Over the last twenty years, the primary goal of financial crime professionals has changed. At the outset, international standard setters at the Financial Action Task Force (FATF) and national regulators focused on the concept of compliance. They set the rules and regulations, and firms were expected to meet them. How they did so was less of an issue - it was just a case of ticking the boxes.

But it soon became apparent that this approach was inadequate, and firms were next encouraged to take a ‘risk-based approach’, which varied the application of financial crime controls in the face of their own distinctive risk environment. Whilst somewhat of an improvement, difficulties in application remained, and the overall outcomes have remained poor.

Poor Outcomes and Impact

As a result, the financial crime rule-makers have increasingly emphasised the concept of effectiveness as the target at which firms need to aim. Regulators’ evolving perspectives on effectiveness is a topic we will look at in more detail in the next part in this series. Suffice it to say at this stage, however, that even if there are varying opinions about what effectiveness is, there is a universal sense that it matters to regulators and is shaping how they go about their supervisory duties.

Ineffective Controls and a Lack of Independent Testing

In our own research looking at US and UK fines given for financial crime failures between 2018 and 2021, we found that the reason most often given for a negative finding was ‘ineffective controls’, by both value and count of fines.

In addition, inadequate or ineffective independent testing of controls has been mentioned in an increasing number of fines, demonstrating that regulators see the testing of controls as part and parcel of demonstrating their effectiveness.

Why so Ineffective?

Media narratives often blame financial services firms themselves for the prevalence of financial crime, attributing failures to laziness, greed, or even malfeasance; and, yes, some businesses do make bad mistakes, intentionally and otherwise. But in reality, most firms that get called out by regulators have acted in good faith.

So why then are they getting criticised for ‘ineffective’ financial crime controls? There are a number of practical - and in many ways completely understandable - reasons:

  1. Controls are often poorly configured because firms just do not know what they are looking for when it comes to detecting financial crime. Controls are based on old typologies - ‘industry lore’ - about what crime looks like, meaning that firms end up with a static approach that is less ‘risk-based’ than many would like to claim, and almost always backwards looking.
  2. This problem is compounded because most firms have difficulties in testing, optimising and reconfiguring their controls in real time. This comes from a lack of flexibility in available testing solutions, as well as from organisational and structural problems which make it difficult to fine-tune controls to an ever-changing financial crime risk environment.
  3. Finally, even when firms do take good, risk-based decisions and detect financial crime effectively, they often lack the systematic evidence to demonstrate this to regulators.

Costly Consequences...

Our analysis of fines given by the US and UK regulators found that nearly $2bn worth were given in 2021. The largest fines were given to well established banks, such as Natwest, who were fined £265m, and Capital One, who were fined $390m.

Amongst challenger banks and fintechs, there can be a tendency to think that these kinds of fines are something that regulators only impose on large banks. But although there is a legal onus on regulators to take a proportionate approach, that doesn’t mean that younger firms are immune to significant regulatory fines either, and as such firms grow, they are gaining more regulatory attention. Indeed in 2021 alone, Bitmex were fined $100m and N26 were fined $5m. These are expected to be the first of many more fines to hit challenger banks and fintechs in the coming years.

...Before and After a Fine

Whilst the costs most discussed by the media are the reported regulatory fines, the biggest impact on firms is usually the unreported costs that come before and after a fine.

In the face of this knowledge, the first resort of businesses has often been to throw money at the problem. Just about any market research you can find will show the level of investment in financial crime compliance rising year on year over the last decade or so. Recent research by LexisNexis and Oxford Economics suggests that financial crime compliance for financial institutions in the UK alone is estimated to be £28.7 billion, with costs expected to grow more steeply in the next two years, reaching over £30bn by 2023.

The largest part of this compliance spending is still going to staff, often in large investigatory teams who are needed to work through multiple false positive screening and monitoring alerts, and on manual testing teams trying to understand the effectiveness of controls. According to a recent report from the SWIFT Institute, personnel costs can amount to anywhere between 60 and 80% of financial crime compliance spending.

In the UK, the Financial Conduct Authority (FCA) tends to perform Section166 ‘Skilled Person Reviews’ before deciding whether to levy a fine or not, and our research suggests that the cost for these starts in the millions; from external legal advice and consultancy fees, to look-back projects for further misses, remediation, staff training, and platform upgrades. Whilst financial crime professionals will debate the exact figure, this cost can be triple or quadruple the original penalty.

Moreover, these are rarely one-off expenditures.

As we have noted, fines can generate significant burdens for firms, and are usually accompanied by demands for further reform from regulators. The start of regulatory attention can herald a long process for firms, with close scrutiny usually revealing further failings that can themselves result in a whole new series of regulatory enquiries. In the case of Commerzbank, a US fine of $1.45 billion in 2015 for failures to detect suspicious activities led to a significant round of compliance investment, but the bank was in difficulties again in 2020, when the UK’s FCA fined the bank £37.8 million for failures in its financial crime controls.

Conclusion

For the businesses that sit at the centre of the financial crime campaign it can often feel as though they are fighting a losing battle. They devote large amounts of funds to controls that do not seem to find financial crime, while also being liable to criticism and further regulatory burdens when the controls don’t work as expected.

What’s the answer? How do businesses break-out of - or better still avoid - this cost-laden cycle of investment, criticism, fines, investment, and then...criticism again?

In the next two part in our series we will look in more detail at some of the potential answers. Firstly - what the regulators themselves are saying about effective controls, and then we will look at what the industry can do itself to better measure and understand financial crime effectiveness. Read Part 2: What the Regulators and International Bodies are saying about Effectiveness.

Download the full whitepaper

Recent Posts

Anything less than full monitoring of controls leaves room for error - finally you can do away with manual dip sampling. Cable provides automated evidence of your compliance, risk management and effectiveness, allowing you to:

  • save money by eliminating expensive remediation projects,
  • reduce the risk of regulatory fines,
  • save time by automating reporting,
  • improve stakeholder communication, and
  • scale compliantly and with confidence.

Why manually test 100 accounts when you can automatically monitor 100%?

Introduction

Regulators, international standard setters, and private sector groups have all started to talk about prioritising financial crime effectiveness over technical compliance. There is growing momentum as more people come to the realisation that financial institutions must be able to prove that what they’re doing is not just legally compliant, but is actually working to reduce financial crime.

The overall message from these organisations is clear, and it is only a matter of time before firms around the world are obliged to demonstrate the effectiveness of their financial crime controls.

Whilst there are clear financial benefits to measuring and evidencing financial crime effectiveness, how to do so remains unclear.

This series provides a deep dive into the world of financial crime effectiveness, covering:

  1. The Heavy Cost of Ineffectiveness
  2. What the Regulators are Saying About Effectiveness
  3. How to Measure Effectiveness

Download the full whitepaper

Part 1: The Heavy Cost of Ineffectiveness

Summary

  1. Building and maintaining a financial crime compliance framework costs a huge amount, and the best outcome is the absence of punishment from regulators.
  2. In the face of poor outcomes, the financial crime industry has seen a shift towards effectiveness, most keenly reflected in the increasing number of regulatory fines that mention 'ineffective controls'.
  3. Firms have ineffective financial crime controls because they don’t know what crime to look for and have inadequate testing of controls. In addition, they are unable to evidence their effectiveness to regulators.
  4. The cost of fines is only the tip of the iceberg, with remediation projects easily costing triple or quadruple the original penalty.

Do You Get What You Pay For?

They say ‘you get what you pay for’, but in the world of financial crime, that hardly seems to be the case. As all financial crime professionals know, building and maintaining a financial crime compliance framework can cost an enormous amount. People, technology - it all adds up. In return, the best response firms can expect to receive from regulators is the absence of punishment, while at worst they face censure, public criticism and ultimately fines and other forms of civil or even criminal enforcement action.

This happens to financial firms of all sizes and types and often not as a one-off occurrence. Once under the eye of the regulator, firms can end up in a vicious cycle of criticism, remediation and further investment to rectify problems. Cost piles on cost, and if this isn’t bad enough, there will be reputational and commercial damage, the costs of which can be hard to quantify.

It is easy to take a resigned attitude to these problems. Regulatory-induced costs and criticism have been dogging the financial services industry for many years. But are we really beyond finding new ways to tackle these challenges, and do we need to just keep treating the symptoms, rather than look for a cure?

Almost certainly not. At Cable, our approach has been to go back to the root cause of the problems, and ask why firms are spending so much money and getting such poor results. What we have found is that the issue isn’t about money, will, or commitment. It’s a matter of effectiveness. Not only being able to make effective financial crime frameworks, but also being able to demonstrate this to regulators.

In this three part series, we will look at the question of financial crime effectiveness from several angles: the financial impact of ineffective frameworks on firms; regulators’ growing emphasis on the issue; and most importantly, how innovative solutions can be applied to address the issue. Because there’s no reason why the industry has to live with ineffective financial crime controls - or their costly consequences - any more.

Effectiveness on the Agenda

Over the last twenty years, the primary goal of financial crime professionals has changed. At the outset, international standard setters at the Financial Action Task Force (FATF) and national regulators focused on the concept of compliance. They set the rules and regulations, and firms were expected to meet them. How they did so was less of an issue - it was just a case of ticking the boxes.

But it soon became apparent that this approach was inadequate, and firms were next encouraged to take a ‘risk-based approach’, which varied the application of financial crime controls in the face of their own distinctive risk environment. Whilst somewhat of an improvement, difficulties in application remained, and the overall outcomes have remained poor.

Poor Outcomes and Impact

As a result, the financial crime rule-makers have increasingly emphasised the concept of effectiveness as the target at which firms need to aim. Regulators’ evolving perspectives on effectiveness is a topic we will look at in more detail in the next part in this series. Suffice it to say at this stage, however, that even if there are varying opinions about what effectiveness is, there is a universal sense that it matters to regulators and is shaping how they go about their supervisory duties.

Ineffective Controls and a Lack of Independent Testing

In our own research looking at US and UK fines given for financial crime failures between 2018 and 2021, we found that the reason most often given for a negative finding was ‘ineffective controls’, by both value and count of fines.

In addition, inadequate or ineffective independent testing of controls has been mentioned in an increasing number of fines, demonstrating that regulators see the testing of controls as part and parcel of demonstrating their effectiveness.

Why so Ineffective?

Media narratives often blame financial services firms themselves for the prevalence of financial crime, attributing failures to laziness, greed, or even malfeasance; and, yes, some businesses do make bad mistakes, intentionally and otherwise. But in reality, most firms that get called out by regulators have acted in good faith.

So why then are they getting criticised for ‘ineffective’ financial crime controls? There are a number of practical - and in many ways completely understandable - reasons:

  1. Controls are often poorly configured because firms just do not know what they are looking for when it comes to detecting financial crime. Controls are based on old typologies - ‘industry lore’ - about what crime looks like, meaning that firms end up with a static approach that is less ‘risk-based’ than many would like to claim, and almost always backwards looking.
  2. This problem is compounded because most firms have difficulties in testing, optimising and reconfiguring their controls in real time. This comes from a lack of flexibility in available testing solutions, as well as from organisational and structural problems which make it difficult to fine-tune controls to an ever-changing financial crime risk environment.
  3. Finally, even when firms do take good, risk-based decisions and detect financial crime effectively, they often lack the systematic evidence to demonstrate this to regulators.

Costly Consequences...

Our analysis of fines given by the US and UK regulators found that nearly $2bn worth were given in 2021. The largest fines were given to well established banks, such as Natwest, who were fined £265m, and Capital One, who were fined $390m.

Amongst challenger banks and fintechs, there can be a tendency to think that these kinds of fines are something that regulators only impose on large banks. But although there is a legal onus on regulators to take a proportionate approach, that doesn’t mean that younger firms are immune to significant regulatory fines either, and as such firms grow, they are gaining more regulatory attention. Indeed in 2021 alone, Bitmex were fined $100m and N26 were fined $5m. These are expected to be the first of many more fines to hit challenger banks and fintechs in the coming years.

...Before and After a Fine

Whilst the costs most discussed by the media are the reported regulatory fines, the biggest impact on firms is usually the unreported costs that come before and after a fine.

In the face of this knowledge, the first resort of businesses has often been to throw money at the problem. Just about any market research you can find will show the level of investment in financial crime compliance rising year on year over the last decade or so. Recent research by LexisNexis and Oxford Economics suggests that financial crime compliance for financial institutions in the UK alone is estimated to be £28.7 billion, with costs expected to grow more steeply in the next two years, reaching over £30bn by 2023.

The largest part of this compliance spending is still going to staff, often in large investigatory teams who are needed to work through multiple false positive screening and monitoring alerts, and on manual testing teams trying to understand the effectiveness of controls. According to a recent report from the SWIFT Institute, personnel costs can amount to anywhere between 60 and 80% of financial crime compliance spending.

In the UK, the Financial Conduct Authority (FCA) tends to perform Section166 ‘Skilled Person Reviews’ before deciding whether to levy a fine or not, and our research suggests that the cost for these starts in the millions; from external legal advice and consultancy fees, to look-back projects for further misses, remediation, staff training, and platform upgrades. Whilst financial crime professionals will debate the exact figure, this cost can be triple or quadruple the original penalty.

Moreover, these are rarely one-off expenditures.

As we have noted, fines can generate significant burdens for firms, and are usually accompanied by demands for further reform from regulators. The start of regulatory attention can herald a long process for firms, with close scrutiny usually revealing further failings that can themselves result in a whole new series of regulatory enquiries. In the case of Commerzbank, a US fine of $1.45 billion in 2015 for failures to detect suspicious activities led to a significant round of compliance investment, but the bank was in difficulties again in 2020, when the UK’s FCA fined the bank £37.8 million for failures in its financial crime controls.

Conclusion

For the businesses that sit at the centre of the financial crime campaign it can often feel as though they are fighting a losing battle. They devote large amounts of funds to controls that do not seem to find financial crime, while also being liable to criticism and further regulatory burdens when the controls don’t work as expected.

What’s the answer? How do businesses break-out of - or better still avoid - this cost-laden cycle of investment, criticism, fines, investment, and then...criticism again?

In the next two part in our series we will look in more detail at some of the potential answers. Firstly - what the regulators themselves are saying about effective controls, and then we will look at what the industry can do itself to better measure and understand financial crime effectiveness. Read Part 2: What the Regulators and International Bodies are saying about Effectiveness.

Download the full whitepaper

There’s more to read!

Resources