Compliance complexity demands holistic solutions
The rapidly-changing world of financial compliance has become so complex that many organisations across Africa as well as in South Africa are transgressing their regulators’ requirements and government legislation every day – often without being aware of it.
That’s according to Lizette Sander, product manager at Bateleur Software, which supplies software packages designed to enable organisations to meet their anti-financial crime compliance and regulatory obligations. However, Sander maintains that throwing money, technology or even bodies at the problem is unlikely to resolve it effectively or permanently.
“The financial services sector – whether it’s banks, asset managers, insurance companies and the like – requires more than just the implementation of an automated anti-financial crime compliance- or regulatory-focused software solution. What is also needed is guidance from compliance and regulatory experts to ensure the software selected, and the way it is implemented, will meet the needs of the organisation,” she explains.
Candice Glossoti, director at LRC Advisory, a Johannesburg-based legal, risk and compliance consultancy, agrees.
Glossoti points out that financial institutions are facing a plethora of challenges, not least of which is the speed, cost and pressure of digitisation. At the same time, they are confronted with the ever-increasing sophistication of cyber criminals and the pervasiveness of market abuse and financial crime – all of which is causing regulators to push for enhanced control environments.
“Regulators’ growing demands require financial firms to monitor, manage and report financial crime and irregularities by leveraging all means at their disposal,” she says.
“But as regulatory requirements become more onerous, including, for example, enhanced anti-money laundering and counter-terrorism financing (AML/CTF) capabilities, financial institutions are having to employ more skilled professionals and advisors to help them understand these demands and supplement their risk management efforts.”
Alex Brown, director and financial crimes compliance specialist at LRCA, says only a handful of instances of firms having fallen short in their compliance efforts are well publicised. One was last year’s data breach at Experian SA involving a sophisticated scam that gave criminals access to the personal information of around 24 million South Africans.
However, many more instances of non-compliance go unreported. According to Brown, at least two large South African financial organisations recently fell prey to malware attacks that locked them out of their own data. In another instance, an audit of a major South African bank revealed thousands of cash transactions that were not reported in breach of the banking regulations because of inadequacies in the bank’s internal reporting systems.
“The bank not only risked a huge fine from the regulators, but also enormous damage to its reputation had the breach been made public,” he explains.
Glossoti points out that several regulatory reform initiatives are under way in South Africa placing an additional burden on financial institutions. Probably the best known is POPIA (Protection of Personal Information Act) – South Africa’s first comprehensive privacy statute. From 1 July 2021, all organisations including financial firms will be legally accountable for how they record, store and manage all personal information about employees, customers and suppliers in their businesses. POPIA also impacts those who outsource key processing activities, share data offshore, and engage in direct marketing.
Another key piece of regulatory reform is the Conduct of Financial Institutions Bill (CoFI) which aims to significantly streamline the conduct of the country’s financial services sector, including the implementation of the Treating Customers Fairly (TCF) principles.
In addition, the finalisation of the country’s Twin Peaks model will impact heavily on financial sector regulation. This will consolidate the authority of the Prudential Authority to oversee the safety and soundness of financial institutions; as well as the Financial Sector Conduct Authority that oversees system-wide efficiency, conduct and integrity of financial markets to afford greater financial consumer protection.
According to Glossoti, the COVID-19 pandemic has also added to the financial sector’s regulatory and compliance burden.
“The pandemic has resulted in many regulators reviewing their own rules in order to facilitate an effective response to the crisis, including dealing with steps introduced by governments to support consumers struggling with debt repayments, temporary legislation to deal with government grants and financial support schemes. Regulators have also had to consider stronger governance requirements to combat the inevitable increase in corruption and financial scams,” she says.
All these changes, as well as the additional security challenges that have resulted from a shift to remote working, have stretched the compliance resources within financial firms to unprecedented levels.
“Adding to the problem is the way legislation and regulation has changed,” Brown notes.
“In the past, we had rules-based legislation – a kind of tick-box exercise that generally made it easy for organisations to deal with new requirements by throwing bodies at it. Now, regulation demands a risk-based approach that requires resources be appropriately apportioned to manage or mitigate risk effectively.
“But few organisations have the expertise to do this in-house without having to employ large numbers of expensive resources or take their eye off the ball so that other areas of their business suffer,” Brown says, adding that the cost of compliance can be prohibitive for many organisations.
Sander maintains that the only way companies can meet the demands of regulatory compliance effectively, is to partner with organisations that can deliver a holistic solution.
“This type of solution must be based on the identification of gaps in the firm’s systems in terms of current and pending regulation, and draw on the latest technology for quick, effective and accurate compliance. This is best achieved when risk, legal, compliance and technology specialists work together,” she concludes.