Strengthening banks’ compliance frameworks

Compliance functions are a key component of banks’ second line of defence for managing risks. Their role is to ensure that banks operate with integrity and adhere to applicable laws, regulations and internal policies. A strong, independent compliance function can mitigate risks related to misconduct, money laundering and other forms of non-compliance.

Joint Supervisory Teams (JSTs) assess the effectiveness of euro area banks’ compliance functions as part of the Supervisory Review and Evaluation Process (SREP). Recent assessments show that, while banks have made some improvements to their compliance frameworks, progress is still needed in three main areas: (i) governance, (ii) dedicated resources (in terms of number and quality), and (iii) implementation of policies and processes.

Since the start of European banking supervision, JSTs have seen banks improve the governance and stature of the compliance function. In almost all cases, compliance units now have formal direct access to the management body in its supervisory function, as required by the EBA Guidelines on internal governance. Hierarchical reporting lines ensure, to varying degrees, that the Chief Compliance Officer is more independent and has a higher stature. However, in some banks, the Chief Compliance Officer also has another role (for instance, as head of the legal department or non-financial risks department). This is not in line with the EBA Guidelines – except in the case of the smallest banks, where proportionality can apply. As an overarching principle, the Chief Compliance Officer needs to devote sufficient attention to compliance and should therefore be dedicated to the role on a full-time basis.

Banks still need to strengthen the oversight of the compliance function. Despite improvements over the past few years, some compliance units still do not report to the board’s supervisory function frequently enough. Banks are expected to ensure regular reporting to the management body in its supervisory function throughout the year. This reporting should be proportionate to the frequency and severity of issues raised and to the nature of banks’ risk profiles. Furthermore, in some cases, the management body still does not assess the effectiveness of the compliance function. A sound practice – already observed in some banks – is for the management body to discuss the effectiveness of the compliance function each year, based on a report prepared by the latter and an opinion provided by internal audit.

Banks’ compliance functions need to have adequate resources, from both a quantitative and a qualitative perspective. As stipulated in the EBA Guidelines, staff working in compliance should have sufficient knowledge, skills and experience to fulfil their tasks. Despite a slight increase over the past few years, the staffing of some banks’ compliance teams remains too low to cope with any increase in compliance-related workload or challenges.

Another key success factor for efficient compliance management is the quality of IT tools. Some recent incidents have shown that a weak IT infrastructure for compliance monitoring (e.g. alert systems) could make it more difficult to identify risks. In this respect, recent advances in IT provide an opportunity to make compliance functions more efficient.

Banks need to do more in terms of implementing compliance-related policies and processes. They should enhance their testing, increase the involvement of the compliance function in product approval processes and improve the follow‑up of compliance issues or incidents reported by the second and third lines of defence. As a sound practice, some banks have set up a separate quality assurance unit to perform compliance testing across business lines and entities. Others have also appointed a dedicated person to coordinate the controls performed by front-line business areas, thereby enhancing the accountability of the front line as regards compliance-related risks.

Measuring these risks is another area in need of further improvement, as several banks still fail to properly include them in their risk appetite frameworks. There are, however, a few banks that have developed comprehensive risk appetite statements on compliance which are regularly discussed within the board’s supervisory function, enabling relevant issues to be flagged.

Strengthening banks’ compliance frameworks may require a change of mindset for some banks. This means setting the right tone from the top, defining clear accountability for compliance (within the three lines of defence), creating incentives to promote a sound compliance culture and giving the compliance topic the importance it deserves and needs.

ECB Banking Supervision will continue to press banks to enhance their compliance frameworks, taking into account the ever-changing banking landscape. Supervisors will also perform further on-site inspections and deep dives on this topic over the coming months, with the outcome reflected in the 2020 SREP.