A regular theme in conversations with our clients, both Rockstead and Yabber’s, is the true cost of non-compliance. We make no excuse for banging on about it – too often we learn that the first functions to be axed as part of a cost-cutting exercise are risk and compliance. Firms who focus on such programmes simply highlight that they have an opposite mind set to regulators – while they focus on operational cost savings, regulators focus on customer outcomes.
The recent bank fine of £64m, which would have been £91m were it not for an early settlement discount, clearly highlights another example of the direct cost of non-compliance. It could have been worse; the decision notice, where the final fine amount is articulated, shows that a ‘step 2’ amount of £152m was also considered. The fines, of course, do not include the cost of investigating the issue, skilled person reviews or remediation. The total cost of non-compliance is therefore significantly higher than that reported.
While the focus of this fine was arrears and forbearance activities, we look at such FCA decision notices to garner underlying non-compliance themes. Two themes emerge from this decision notice and both relate to the independence of any oversight processes.
1) Three lines of defence model
The decision notice shows that “Conduct, Compliance and Operational Risk” was responsible for “providing independent assurance”. We have always argued that where any one of the three lines of defence are employed by departments within the business it is clear that they are not ‘independent’. Those responsible in businesses, either Boards or Risk Committees, need to consider this lack of independence and apply a sceptical appraisal to all the reports they receive. In our view, the third line should be truly independent and external. Anything else is a false economy.
2) Call handler oversight
The decision notice highlights various call handler oversight failings in a number of areas and these were wide ranging; inappropriate categorisation of call outcomes, inadequate information gathering, lack of training and a rigid adherence to a payment arrangement framework.The management information packs presented to management were largely “green” RAG-rated results which while providing management with “comfort”, failed to show the results in a way that management could “drill down into the results”. Additionally, there was “no MI which attempted to identify issues before they had crystallised and therefore were evident through testing”. The fact that traditional testing volumes are woefully low exacerbates these issues.
So the key messages that firms need to consider if they are not to face similar regulatory penalties are 1) Aspects of the three lines of defence model need truly independent input. 2) Firms need to deploy systems that are able to monitor and assess 100% of customer interactions. 3) Firms should utilise the MI gained from proper oversight and use it to implement risk avoidance. 4) Firms are apparently still not focused on customer outcomes and should address training needs urgently.
Rockstead and Yabber can help with all of these issues – give us a call to see how we can help your business solve the true cost of compliance conundrum.