I recently spent a day in a meeting discussing Governance, Risk and Compliance (GRC) … yawn. Well, it is a bit of a dull area, but highly important. In fact, what gets me is that regulations are the big ticket barrier to change in banking. It’s what protects the banks from disruption and change, as I’ve blogged before. It’s as John Cryan put it the other day: “Everything regulated tends to continue as it is”.
That doesn’t mean that a bank should be lazy and complacent, as many are, but that the banks can respond to change at their own pace, rather than being forced to change by new competitors. In fact, the only change factor in banking is regulation. As someone put it to me the other day: “if the regulator said we had to do it (blockchain, artificial intelligence, APIs, whatever), then we’d do it”. That’s the only reason why faster payments happened and is the only reason the banks are talking about Open Banking: because the regulator told them to do it.
But the regulators are getting more and more difficult to deal with. In fact, I’ve lost the plot when it comes aligning regulations at global, regional and national levels because often they are not aligned. They conflict and contrast, have local interpretations, gold plating and implementations vary between banks. This was mentioned the other day in respect of money laundering:
Spain has by far the largest number of politically exposed persons – those singled out for higher risk controls by banks – because it uses an expansive definition of local officials. Financial institutions then apply their own interpretations of the rules in their compliance, which can also vary from peers.
And it’s not getting easier. In fact, it’s getting harder.
I remember Jamie Dimon’s shareholder letter in 2012 getting him the label Whiner Dimon for complaining about the complex network of regulations they now had to deal with:
We have hundreds of rules, many of which are uncoordinated and inconsistent with each other. While legislation obviously is political, we now have allowed regulation to become politicized, which we believe will likely lead to some bad outcomes.
But he was right. Just look at the graphic below and you can see why:
Maybe that’s why so many of the details of Dodd-Frank are yet to be implemented months, or even years, after their deadline dates:
Of the 390 total rulemaking requirements, 274 (70.3%) have been met with finalized rules and rules have been proposed that would meet 36 (9.2%) more. Rules have not yet been proposed to meet 80 (20.5%) rulemaking requirements.
In Europe it’s no better. EMIR, UCITS, CRD, PSD, MiFID and the whole raft of other inter-related, but separated directives and regulations, are causing just as much of a mess over here. In fact, Thomson Reuters monitor all this stuff, and say that the number of regulatory changes a bank has to deal with every day has increased from 10 in 2004 to 185 today. That’s a regulatory change that has to be interpreted and implemented every 12 minutes.
The Thomson Reuters Regulatory Intelligence Feeds monitors 750 different regulators globally for changes to bank rules, and updates compliance teams three times a day with what’s going on. Even so, and even with all that insight, it’s too darned difficult to keep up with.
A great example is the Volcker Rule. Starting out at just three pages, it ballooned into 298 pages by the time it was written into law, and accompanied by 1,300 questions. pages by the time of implementation. No wonder compliance costs are the biggest overhead in the banking business.
Surely there must be a better way of doing business?