The true cost of compliance

By Michael Rothschild

Even before the global financial meltdown of 2009, the financial services industry (FSI) was saddled with an alphabet soup of compliance requirements including slew of regulations covering auditing, testing, assessment, Basel II, e-discovery, FACTA, FFIEC, GLBA, PCI DSS, risk frameworks, SEC and FDIC regulations, SOX financial reporting, data security breach laws and the USA Patriot Act section 314. Given more recent events relating to the unauthorized exposure personally identifiable information (PII) and non-public information (NPI) there is no doubt that compliance requirements and additional legislation is looming on the horizon at the state, federal and global level.

The Reality of it All

Most of us start our days very similarly; loading up on caffeine and catching up on current events by reading the morning paper. With stunning regularity we read about yet another financial services organization that has been fined due to a compliance breach of some sort. And it is no wonder. Keeping informed on new compliance requirements can be a full time job. Interpreting regulations and implementing appropriate controls to safeguard daily operations from breaches is a monumental task. And while the regularity of this occurrence has become predictable, it gives us pause to ruminate over the crushing costs of compliance to these institutions and the industry as a whole.

While no organization welcomes the fines associated with a compliance breach, let's be honest, they are really not that prohibitive. TJX, which violated PCI compliance in 2007 resulted in 95 million credit cards being divulged. This, the largest breach of its kind at that time, settled with 41 states for $9.75 million^[1]. While there were other associated charges, TJX was easily able to absorb the cost. That year, TJX occupied the #38 spot in the BusinessWeek top 50 rankings and enjoyed $17.4 billion in annual sales^[2]. And while TJX is just one example of a compliance violation, the obvious question is what is the incentive for any organization to devote resources to comply with regulations if the cost of the fine is less than the cost to implement the safeguards?

Following The Cash

The reality is that the penalty levied against an organization for non-compliance truly does not have the "teeth" needed to incentivize organizations to commit budget to ensure regulatory compliance. Their incentive lies on the front page of the newspaper you read every day. Potentially the event that can put an organization at its greatest risk is when their name is splashed across the front page of the Wall Street Journal for all the wrong reasons. This type of article transmits news which shakes customer confidence and immediately and profoundly affects the long term viability of that organization. We need not look any further than the company's stock price as the true barometer for public confidence and valuation of the company. TJX's breach occurred in January 2007, just before the start of the economic downturn. Just before the breach in January 2007, TRX's stock hovered at $30.03 per share. If we look at the stock just three months later, in March 2007, the stock declined $3.93 per share to $26.10. Taking into account the just over 413,530,000 outstanding, market capitalization was reduced by $1.634B at least partially because of shaken customer confidence. And this is a number that is too large for any company to ignore.

Working Smarter

In the current unprecedented economic climate, with unemployment topping 10% and stocks lagging at 1999 levels, budgets are not increasing. Moreover, our organizations are significantly more distributed than even 5 years ago,and more of our business is being done online, making the potential for a violation even more of a reality while it being even harder to detect until it is too late. How do we ensure that our company does not land on the front page of the morning paper as the next textbook example of a compliance breach? There is no secret formula, but there are some key ingredients to getting started:

1. Know Thy Self – Today, we run on the time global economy time clock. Stock Markets, Banking and investing are open for business 24/7/365. In order to remain relevant in this highly competitive and dynamic field, our individual businesses must follow this schedule. This can certainly yield great opportunities, but also substantial threats. Because the business is dynamic, regular audits and a planned roadmap should be religiously adhered to and re-evaluated regularly. Proactively deploying the proper controls eliminates many of the pitfalls and associated costs before problems mushroom.
2. Partner with the experts – Organizations no longer have to rely on having all their domain expertise within the organization and compliance is a good place to employ this theory (no pun intended). With new rules constantly being rolled out, it can often be easier and cheaper to outsource portions of the compliance practice to organizations that are experts in the field. In many reported cases the outsourced expert was able to discover and correct compliance breaches for the FSI before a violation notice was served by the governing regulatory agency.
3. Utilize Education + Technology – Financial Services are often viewed as an industry that has pioneered the use of technology which is now core to the business. It has produced new business models and new lines of business that has allowed the industry to flourish. While so much of the business is intertwined with technology and because IT is so advanced, it can also be turned into a discovery and enforcement point used to mitigate potential compliance threats long before they become a violation. It is not only cost effective, but proper education helps reduce the incidence of a violation while technology catches the inevitable violations that can and will occur with less false positive and false negative incidents than the legacy methods of enforcement.

The current economic climate and what brought us here will undoubtedly result in new legislation for financial services. Building the proper foundation now can help us be better prepared to embrace these new regulations and allow us to accelerate out of the downturn while ensuring that the only time we are on the front page of the morning paper is for all the right reasons.

References:

[1] www.scmagazineus.com/TJX-settles-over-breach-with-41-states-for-975-million/article/138930/

[2] www.businessweek.com/bw50/2007/38.htm