Muhammad bin Ibrahim: A broader view of compliance in banking and financial sectors

Remarks by Mr Muhammad bin Ibrahim, Governor of the Central Bank of Malaysia (Bank Negara Malaysia), at Bank Negara Malaysia's Compliance Conference 2017, Kuala Lumpur, 18 May 2017.

The views expressed in this speech are those of the speaker and not the view of the BIS.

The topic of compliance has become a widely discussed topic in recent times, often headlined by massive regulatory fines slapped on financial institutions for compliance failures. Banks globally are estimated to have paid over USD320 billion in regulatory penalties since the global financial crisis for multiple failures ranging from market manipulation to money laundering and conduct failures.

On the bright side, these fines signal a continued, if not increased, priority given by authorities to strong enforcement. But the fact that such failures occurred at all, and were allowed to reach such extensive proportions to the detriment of the public, should worry us.

There is no doubt that the compliance burden has increased significantly. And for good reason. Even though the debate will continue to rage on over the relative benefits and costs of compliance, it is unlikely this question will be settled in the foreseeable future.

Given our experiences from the various discoveries that institutions continue to push the boundaries of what constitutes a fair and ethical practice, there is clear evidence that we need to do more to improve compliance.

The industry has made some important strides. In earlier times, the compliance function was largely left to a single, usually mid-level, individual within the organisation, whose principal job was to serve as a contact point with the regulator, or to handle matters relating to anti-money laundering and counter financing of terrorism. Today, almost all financial institutions have a compliance function, staffed with whole teams dedicated to all aspects of a firm's compliance with relevant laws, regulations and internal policies. Indeed, we have progressed.

Many efforts have been taken to continuously strengthen the supervisory framework. Bank Negara Malaysia has identified the compliance function as one of the key control functions in a financial institution - right up there with senior management, risk management function, and finance and reporting functions. In 2015, we issued the compliance standard for financial institutions, which raised our expectations of boards and management to address the full breadth of structural, operational, resource and process issues that go into assuring compliance. We also issued strengthened corporate governance standards which reinforce the accountability of the boards in overseeing an effective compliance function.

While it should be obvious why compliance is so important, I think it bears repeating. If motivations for an increased focus on compliance are exclusively driven by the avoidance of regulatory fines, then we are missing the big picture. We should be aware that a strong compliance function and culture makes good business sense. Today I would like to address the following matters:

i.  The role of compliance in supporting the integrity of regulatory frameworks;

ii   The larger social and economic consequences that can arise from compliance lapses; and

iii.  The impact on public confidence and trust in an environment where financial intermediation is no longer the exclusive domain of banks.

Regulation, particularly for banks, has become significantly more complex as banks grow in size and sophistication. In the face of these growing complexities, global standard setters continue to develop standards that can best manage this issue. In general, Bank Negara Malaysia has been supportive of moves to make regulation simpler and less costly. Even so, some complexity in regulation is inevitable due to rapid advancements in the business of banking, compounded by the process of globalisation and changes in the banks' operating landscape and interactions with other components of the financial system. Continuous regulatory changes are necessary and will be the norm as efforts are continuously taken to safeguard financial stability.

If you observed carefully over the last few years, it is not just banking rules that are becoming more complex. Developments in financial reporting standards are adding to this complexity as well, in ways that we may not even fully contemplate yet.

Regulation has also evolved from detailed prescriptions to "standards", which focus on principles and outcomes. With this evolution, substantial value judgement and discretion are required in such an approach. Banks need to determine and decide on how to reflect these standards in their day-to-day operations. Financial reporting standards now work in much the same way, with considerable management discretion required. This is a sensible approach, given that operating models and business strategies differ from one bank to another. Prescriptive rules, especially if they are rigid, are always ill-suited if intended for all institutions, as they often lead to numerous exemptions, waivers or perverse outcomes. So, even if we exhaustively pursue prescriptive rules to secure financial stability, there will inevitably be areas where allowance for judgement is necessary.

Regulators have a keen interest in the development of a strong compliance function within banks given the more complex rules, combined with the wider use of principle or outcome-based regulations. The compliance function plays at least three critical roles.

First, to ensure a bank's operational frameworks are consistent with the intentions of regulatory standards. Second, to provide a level of independent assurance on the processes behind detailed calculations of regulatory ratios and limits. And third, to support consistent and well-reasoned applications of management discretion and judgement.

The existence of a strong compliance function, therefore, protects the integrity of the regulatory framework. We should be mindful that when banks' internal functions cannot be relied on to achieve financial stability objectives, experience shows that regulation will then tend to be more intrusive. In the process of intervening to remedy such gaps in the stability framework, tensions often surface over the delicate balance in regulation. The degree of intrusiveness in regulatory requirements will swing from one end of the pendulum to the other, before settling somewhere in the between. This process can often be disruptive and unproductive, not only to financial institutions, but also to the wider economy.

This leads me to my next point on the broader social and economic consequences of weak compliance. In most banks, the compliance function has mainly served to ensure that a bank is operating within permitted legal and regulatory boundaries. In such cases, the compliance function effectively does little more than constrain a bank from activities that increase compliance risks. So rather than work with business units and customers to close gaps that contribute to heightened risks, compliance officers are seen as gatekeepers rather than partners.

This is an important distinction with potentially significant consequences for a bank's risk-taking activities. I can give you at least three examples of this.

When we issued revised standards on loan provisioning, one of the requirements was for banks to classify loans as "impaired" if the loans were restructured or rescheduled following an increase in credit risk. Rather than focus on how banks might strengthen internal assessments to better identify and measure changes in credit risk, many banks simply withdrew altogether from entertaining requests from borrowers to restructure and reschedule their loans. SMEs were hit the hardest, requiring Bank Negara Malaysia to intervene.

For a period, our banks were also caught up in the global de-risking phenomenon which saw banking relationships with legitimate businesses indiscriminately terminated across the board. Money changers, remittance service providers and even well-established and managed non-government organisations, which were providing legitimate services to the community, had their accounts unilaterally closed without any effort made to establish legitimacy.

Another example is in the area of responsible financing. Despite broad flexibility provided on income verifications, some banks were initially quick to reject loan applications from borrowers based on a set of very narrowly defined documents that were accepted to prove incomes. This largely excluded non-salaried individuals from accessing loans. This was only later reviewed by banks to accept other forms of documentation and borrower engagements to demonstrate a borrower's ability to repay.

In certain circumstances, it is entirely appropriate for a compliance function to draw a clear line in the sand, where further risks should not be taken. For example, where there are reasons to suspect that firms or individuals may be involved in illegal activity, banks must not deal with such parties and must work with the authorities to limit public harm. Despite being a first line of defence against illegal activities through banking relationships, banks have often been too slow to react. This has resulted in heightened risks of losses to investors, not to mention substantial damage to the reputation of the banking industry at large.

But given that banks are in the business of risk-taking, compliance functions can and should also provide the means by which a bank can take reasonable business risks based on more informed judgements. In other words, compliance doesn't only serve to constrain risk-taking, it can help banks assume legitimate business risks more responsibly and with greater confidence.

Our economy still relies strongly on bank intermediation. An excessive aversion to risk by banks has dire consequences on economic growth. A strong and effective compliance function can redress this by assisting banks to form better judgements about risks taken by their institutions.

In a 2017 survey of 28 countries including Malaysia, the financial services sector was ranked as the least trusted industry, coming in last after the technology, food and beverage, consumer packaged goods, and energy sectors. I recently shared that popular polls also show that most people do not hold banks in high regard in terms of ethics and honesty. This is, indeed, a very unfortunate state of affairs.

This brings me to my third point on the impact of compliance on public confidence and trust in the financial industry. When things go wrong, two questions inevitably get asked. Were there any rules to prevent this from happening, and if so, why were they not followed? And if this could happen, how far can we really trust banks to act in the public's interests?

Today, banks remain dominant players in many aspects of financial services. While this may not change dramatically in the very short term, we cannot preclude a significant share of bank revenues being eroded by new entrants into the financial sector. We are already seeing this in the retail lending and payment segments of the market.

FinTech will most likely change our banking landscape as the public at large becomes more predisposed to the use of technology. The intermediation role of banks may totally change, and may no longer be the sole domain of the banking industry. So it is in the banks' interest that any public disillusionment with banks be addressed preemptively.

The role of compliance is very much a part of this conversation. It has to be, since the compliance function exists not only to ensure that rules are followed by banks. It can be used to maintain public trust and to shape the cultural norms and values for an organisation.

The compliance function complements enforcement and supervisory actions in upholding the sanctity of rules that safeguard public interests. Bank Negara Malaysia will continue to take strong enforcement actions against institutions with significant lapses in controls that might lead to risks in the financial system.

We recognise that compliance is not an easy task. It is not possible to police every minute detail of a bank's operations. Hence, a key priority should be to foster a culture of compliance within the inherent norms and values of an organisation. Culture can be an abstract concept, but the simplest way to describe it is how a bank employee will behave when there is little threat of "being caught". This is also sometimes referred to as "soft laws".

The compliance function can help to shape and internalise "soft laws" through an effective monitoring and assessment framework. With a pulse on the ground, it also provides an important feedback loop to senior management and the board on actions that can be taken to reinforce a strong tone from the top. Compliance officers can also galvanise broader industry initiatives, working with bodies like the Financial Services Professional Board to develop constructive codes of ethics and conduct for the industry and encouraging their adoption.

Earlier, I alluded that the compliance function can be a strategic business proposition. But this can only be achieved through sufficient investment in capacity building in the compliance function, in terms of both systems and resources.

One aspect that tends to be overlooked by institutions in managing compliance risk is the importance of effective channels for communication and information flows between various control functions and the business departments. The closer the cooperation between various functions within the bank, the easier it is to share relevant information and the higher the chances for an early identification of risks. This will improve the quality and promptness of the bank's response to any occurrence of risk or non-compliance.

It is also crucial that institutions invest sufficiently in talent development within the compliance function. At the board-level, this priority is often overlooked. However, cultivating a group of professional compliance officers within a bank is essential. They must be fluent with the business operations of the bank, plugged-in to organisational developments, and have the authority and network to engage effectively throughout the bank. Possessing professional qualifications also play a key role in this, such as the certification in regulatory compliance offered by the Asian Institute of Chartered Bankers, in conjunction with the International Compliance Association.

Today, banks are realising how important it is for them to get in front of compliance issues. Failure to realise this is an expensive error. Banks need to invest and build systems; and create a culture that ensures that they are the first to identify and address compliance failures, and proactively communicate them to the regulators and other authorities.

Beginning next year, we will be raising the stakes further by publishing enforcement actions taken by Bank Negara Malaysia. Specifics will be mentioned, including the name of the banks, nature of breaches and remedial actions taken. In addition, we are also working towards introducing a mandatory employment reference process for the industry. This will require banks to keep and share records of misconduct by employees to facilitate informed recruitment decisions.

Conclusion

My aim here is to provoke a much broader view of compliance, one that is strategic as opposed to operational.

Compliance supports smart, efficient and balanced regulation. This, in turn, builds trust and confidence among the public, which is the very foundation of the banking industry. Only with a strong and reliable banking industry can we serve the economy and the overall well being of our people.