What is Compliance Risk?

By Juliet Kontaxis

Can you guess the current number of regulatory restrictions in the US? While you would probably guess a large number, the exact number is unknown. The task of computing an exact number is so time consuming and difficult that even the experts can only estimate the number relying on artificial intelligence and alternative approaches.

One approach developed by the Mercatus Center at George Mason University estimates that between 67,000 and 170,000 individual regulatory restrictions (depending on which measurement methodology they used) applied to depository institutions alone in 2017. While the number is probably not 170,000 for any one bank, you can imagine that the number is minimally in the tens of thousands.

Federal Banking Requirements over the years chart
Source: https://quantgov.org

All of those restrictions create “compliance risk” for impacted organizations. Compliance risk is the risk of legal or regulatory sanctions, financial loss, or damage to reputation resulting from failure to comply with the laws, regulations, and rules applicable to the organization. If the organization is unaware that they need to comply with the restriction; or if adequate controls are not in place addressing the restriction, the organization is exposed to compliance risk.

  Identifying Applicable Restrictions

With thousands of potentially applicable restrictions, just identifying those that may impact some part of the bank is complex. Banks frequently operate in multiple locations and may have numerous legal entities which may need to comply with regulations issued by various local and federal authorities as well as those issued by authorities with a global reach. Since regulations are subject to change, any inventory of applicable regulations needs to be updated on an ongoing basis. New regulations and changes in business product offerings will also impact the inventory.

  Assessing Inherent Risk

Not all restrictions expose the bank to the same level of compliance risk. Regulators generally consider some restrictions more significant than others, so the impact and consequence of violating a restriction varies. Additionally, there may be a greater likelihood of violating one given restriction compared with another. Incorporating an evaluation of the level of compliance risk a restriction creates, in other words the inherent risk of the restriction, is essential for mitigating compliance risk.

  Mitigating Inherent Risk

The level of a bank’s exposure to compliance risk can be reduced by implementing controls for ensuring the bank complies with applicable restrictions. Depending on the adequacy of the controls over each restriction, the inherent risk presented by the restriction can be effectively mitigated. Monitoring or testing to verify that the controls are working would be required.

  Final Thoughts

Identifying all the applicable regulatory restrictions which apply to a bank’s various locations and legal entities, assessing inherent risk and mapping controls to the restriction requires a significant investment of resources. The temptation is to develop shortcuts which may include focusing primarily on key regulations or restrictions.

Given the potential magnitude of managing compliance with thousands of restrictions, focusing primarily on key regulations or restrictions surely simplifies the management process but at what cost?

Ignoring many seemingly less important restrictions may actually create higher levels of unknown compliance risk for the organization. A violation of one of these ignored restrictions may expose the bank to a higher level of compliance risk if it becomes known to the Regulators that the bank had no controls in place to address the restriction.