Partner interview: EY on the future of supervised compliance

For OXIAL, the concept of supervised compliance is one that really resonates with our business model and the way that organisations should operate in 2018. The idea of working with a technology firm to automate controls and processes around compliance, supported by informed consultants who know the legislation inside out, feels like a smart way to approach compliance. This is especially so in sectors such as banking and financial services (FS) where there is more compliance and regulation than ever before.

However, as with many phrases within business and technology, interpretations as to the precise meaning of ‘supervised compliance’ can vary. We caught up recently with EY’s EMEIA Financial Services Partner Pierre Pourquery who leads the Control and Compliance solution for Europe. Pierre knows as much as anyone about FS compliance and he explained the importance of supervised compliance for banks and why many banks are doomed if they do not embrace wider digital transformation projects.

 OXIAL: 

How do you see supervised compliance in 2018?

Pierre Pourquery:

The common take is that before you supervise compliance, the collaboration between a technology firm and consulting establishment, is where you can combine technology expectations with business compliance expertise.

But while this combination of technology and compliance business is important, it arguably takes place at the wrong time. Traditionally, technology firms such as OXIAL have developed fine products with their clients, but typically on the client side, this is mostly done by technology people. So what you lose by doing that is all the business context and the compliance details. And that’s wrong, because compliance is all about the detail.

 OXIAL:   

So the technology is not matching precisely with the specific business requirement?

Pierre Pourquery:  

Exactly. And this is a problem with some of the Fintech and RegTech firms that have emerged – they provide incredible technology but can’t map that to the specific use cases that are of the highest importance for the banks. There is a kind of mismatch – the banks have access to this powerful technology but are not sure how best to use it.

OXIAL: 

But banks do have a real need for this technology?

Pierre Pourquery:

They absolutely do. And the common take on supervised compliance can really help bridge the gap, and has a lot of value and benefit to a bank. Every bank needs to engage with technology firms to provide some level of automation, they simply have no choice. It’s impossible for example, that when a bank needs to monitor a trader’s sales, for it to put a human being next to the trader, writing everything down. It doesn’t make sense.

But in addition to the technology, the banks also need a consultant to help them define what is good and what is acceptable, both from a risk and compliance perspective.

 OXIAL:   

Why do banks need external consultants for this?

Pierre Pourquery:  

Because it is imposed on them by the regulators, to provide an external perspective, and to provide an independent view of where the banks are. So without exception, banks need co-supervised compliance.

OXIAL: 

So how can supervised compliance go beyond the common definition?

Pierre Pourquery:

This is where OXIAL’s (and EY’s) vision can really help to transform the industry. If we take a different definition of supervised compliance, one which is less about how those services are provided, but more about what banks need right now. Banks, at the moment, need to comply with a very significant amount of new regulations, so much that it takes around 40% of their time. It’s not just local regulation, it’s global too, and it all becomes even more complex when these regulations do not align, which is most of the time.

Imagine the complexity when you have to develop globally a business model and a pricing model, while you are constrained locally by local regulation and local laws. It becomes complex, hideous, and obviously not optimal. The problem with this is that not only are banks developing new programs to put this in place, but that it’s always resulting in new controls, new processes, new reporting, new governance, new committees, and sometimes even new organisations.

 OXIAL:   

That sounds overwhelmingly complex, especially when you factor in the need to demonstrate this to regulators?

Pierre Pourquery:  

Absolutely, and that’s where most of the banks have failed in the past. Because it is one thing is to put in place a new control, but another thing entirely to demonstrate that this is working, on a daily basis.

This is a major change, as previously it was up to the regulators to demonstrate that the bank did something wrong, now the banks have to demonstrate that they are doing everything right. This is called visible steps, demonstrating that even if they made a mistake or they have been subjected to misconduct somewhere in their business, they can prove that they’ve done everything they could to stop this.

OXIAL: 

That sounds like a major undertaking?

Pierre Pourquery:

That’s the challenge! An investment bank, that makes say 30,000 transaction each day, with thousands of employees across multiple geographies, would have approximately 15,000 controls and maybe 10,000 more processes. How does a bank alone control this type of complex environment? Not only control it but detect any issues, do the right thing at the right time, and keep all that information available for an external party to check that they did the right thing. It is very complex, very difficult, and costs a huge amount of money. I would estimate that around one-third of a bank’s costs are dedicated to this.

 OXIAL:   

So what can banks do to address this?

Pierre Pourquery:  

This is where the visions of OXIAL and EY converge. We are trying to put in place a fundamental transformation of control and compliance. If you take MiFID II for example, with something like 400 pages of regulation. Each page, each paragraph can equate to perhaps 50 or 60 new controls.

If you take one regulation, the first question you have to ask, is which part of my business will this regulation apply to? You need to map this regulation and the sub-components to all of the different business lines. Essentially, you need a comprehensive and exhaustive list of risks.

For each risk, you then need to put the right controls in place. So you have a long list of controls that for each you must decide whether to do it once a day, or once a month, relating to your appetite to take or not take, risks.

Then when you have the control you have to gauge what regulators want external assessors to do. And it’s not even just regulators, industry also demands this. Banks have to comply with an industry code, and those that do comply are published on a list. A bank’s clients will see this list, who knows the repercussions of a bank not being on it?

So a bank knows what controls are needed and an independent assessment will assess whether it has control or not. If the controls are not in place, a bank has to make a decision – implement a new control, or not? It might be costly, or the bank could decide they can bear that risk. Massive decision, that make it difficult to keep the business sustainable.

What started with regulation has ended up with a critical business decision around controls and business. But what banks have not done in the past, is to link all the systems together – that’s what OXIAL and EY are doing.


Part two of the OXIAL interview with Pierre Pourquery will publish soon.

OXIAL’s New Generation GRC solutions are entirely built to address some of the greatest challenges impacting organisations that are faced with Risk Management, Internal Control and Compliance and Audit. OXIAL’s integrated GRC platform enables organisations to become more efficient and effective in mitigating risk by integrating and automating GRC processes on a global scale.

Featuring intuitive and powerful tools that make it possible to respond to fast-evolving risk environments, OXIAL makes it easy to synchronise corporate governance, enterprise risk management and corporate compliance activities and undertake real- time monitoring across all business and IT processes and company assets. OXIAL operates globally across multiple industries and meets the needs of over 40 customers who have chosen OXIAL to drive business performance and achieve success.