How to break the vicious cycle of cookie-cutter compliance

It can be very tempting for companies to do the bare minimum in terms of regulatory compliance to prevent financial crime - especially when compliance is costly - but giving in to this temptation carries the real risk of creating a vicious cycle.

It looks like this: a company does the bare-minimum for financial crime risk management, it gets into trouble with a regulator, it then makes significant changes to fix the problem, regulatory compliance improves but its focus and investment wanes once the regulatory scrutiny decreases - and so the trouble comes knocking again. Why the bare minimum? If compliance is deemed too costly, especially during hard economic times, the company might cut corners with compliance to save money. Ironically, it is when companies relax compliance while not under regulatory scrutiny instead investing heavily into the business, that problems re-emerge. A company might scale back on compliance costs and then profits increase as a result, but this growth adds to the workload of a stripped-back compliance team, which is when breaches are likely to happen again.

Ultimately, not breaking this cycle of breach-fix-relax-breach again is legally fraught - and it can cost companies in terms of money and reputation. It is far better to introduce a robust compliance culture that is effective without harming profit margins.

So in my view, how does breaking of the cycle work in practice? Firstly, it is useful to know that while there are some regional variations, money laundering regulations are similar worldwide, and most financial regulations are principle-based. Striving to ensure C-level executives beyond the compliance team have a clear understanding of their responsibilities is a constructive way to start embedding a culture of compliance. It is also increasingly important to do so as some countries have already introduced requirements that focus on the responsibilities of senior management.

Of course, regulations often change, which can be frustrating for companies; but prioritizing awareness and keeping senior teams informed whenever there is a change can help to minimize the risk of being surprised by breaches caused by ignorance rather than malicious intent.

It is also important to be aware that many financial crime regulations may be open to interpretation. If a more relaxed interpretation is applied, it may seem like a cost-effective way to comply but it is certainly a risky approach. Instead, I recommend that companies adopt a risk-based approach that focus on building robust controls to mitigate risks specific to each unique company.

When a bank is approached by a high-risk customer, such as one with a high level of political exposure, the due diligence process will probably be more intensive and intrusive than the process for a low-risk customer. Doing the bare minimum for a high-risk customer may seem like a cost-effective approach in the short term, but in the long term, I believe it can cost companies dearly.

It can be challenging for financial institutions to know how to best interpret regulations, particularly as they change. KPMG professionals can assist with this (often overwhelming but very important) function for financial institutions. In particular, KPMG firms specialize in understanding not only the meaning of the regulations but the expectations of the regulators so this knowledge can be passed on to clients. KPMG professionals often help companies with the remediation of findings by regulators, which can give great insights into the expectations that should be met to stay compliant.

And while experience, consultancy and professional advice is crucial, technology plays an expanding role in helping companies handle compliance more cost-effectively. Advances in machine learning and artificial intelligence mean that irregularities can often be flagged early with fewer false positives; proactive interventions can therefore be made to help prevent a regulatory breach from occurring. Saving money on human costs by using technology is certainly an attractive option for many companies, but it is important to be aware that people will likely still need to intervene and many regulators may not fully embrace automated compliance technology if there is no evidence to demonstrate the effectiveness of these tools.

KPMG professionals can help strike a balance between communicating regulatory changes and expectations and to assist in ensuring compliance is focused on the risks faced by clients. Compliance efforts should commensurate with the risk profile of the organization instead of adopting industry best practices by default. It can be difficult to weigh up the risks, but KPMG professionals can outline the pros and cons of different strategies - including technology advances - so clients can use their judgement to meet regulatory requirements without sacrificing commercial success.

Read additional blogs in our Financial Crime series.