Skip to main content
Aug 09, 2016

More outsourcing of compliance tasks as regulatory demands rise, survey finds

Compliance officers cite IT responsibilities, keeping up with regulatory changes, and outsourcing as major issues     

Growing regulatory demands are preventing financial companies from pro-actively improving their internal processes, such as in their IT departments, according to Thomson Reuters’ 2016 global cost of compliance survey.

The recent report, Cost of compliance 2016, is based on responses from 300 compliance professionals in financial companies worldwide, including most of the largest G-SIFIs (global systematically important financial institutions), surveyed banks, asset managers, insurers, and brokers.

The survey shows a slight decline in expectations among respondents regarding how much more information regulators will ask for in the next year to 69 percent from 84 percent in 2012), with 26 percent of respondents anticipating demand for ‘significantly more’ information from issuers.

Citing lack of time and skilled in-house personnel needed to address the increased demand for regulatory information, one quarter of respondents say their firms outsource at least a portion of their compliance activities. This year’s survey is the first to include a question about outsourcing and was added 'in the wake of the SEC and other regulatory bodies paying increased attention to such arrangements and issuing warning on the dangers of outsourcing the compliance function,’ says Hammond. ‘In their annual examination priorities, the SEC and FINRA this past January focused intently on the use of vendors and/or business partners in 2015-2016, so Thomson Reuters sought to ascertain firms’ reliance/stance on outsourcing in this year’s survey.'

To ensure the confidentiality of the information they give third parties compliance service providers access to, firms must make sure that contracts for these services cover the use, storage and return of data. ‘Firms need to make sure that their own data is part of their disaster recovery plan and that any [third party service providers] have a similar standard of backups in place to restore or retrieve data,’ says Hammond.

It’s important to integrate whatever compliance work is done internally with that which has been outsourced to make sure the reporting methodology is consistent. ‘If the internal compliance function reports on a red, amber, green [alert] basis with one set of risk criteria and the external team reports on, say, a 1-2-3 basis with a different set of risk tolerances, the firm will struggle to get a [unified] view of compliance risk management in the business,’ Hammond explains.

The growing demand for information is felt to be especially intense in the IT sector. Firms are finding it tough to get ahead of regulatory changes, with the high volume of compliance items absorbing all of the IT staff’s time and effort, leaving little or no time to focus on innovation or system integration, says Susannah Hammond, senior regulatory intelligence expert and one of the authors of the study. More than one third of the firms surveyed spend at least one day each week tracking regulatory changes. In addition, the responsibilities of the compliance department have expanded to encompass IT risk and cyber-crime, which were formerly the sole responsibility of the IT department.

Among other survey findings are that:

  • Two thirds of firms expect senior skilled staff to cost more in 2016 and
  • Sixty percent of respondents believe the personal liability of compliance officers will increase over the next 12 months

The survey finds that half of compliance departments report spending less than a half hour each week talking with internal audit personnel. With limited meeting time, compliance officers need to focus on any emerging risks in the business that could be investigated and mitigated at an early stage, says Hammond. ‘An example of an emerging risk could be a scattered but low level of customer complaints. Considered separately, the complaints would not trigger risk alarms, but if it becomes apparent that the complaints could have a similar root cause, that could be significant.’