The Cost of Sellside Regulatory Compliance
Strategies for managing rising compliance costs
The 2008 global financial crisis was a watershed moment for the financial services industry, sparking the onset of tougher regulatory mandates and bringing more protection, stability and security to capital market participants.
In fact, the cost for the corporate and investment banking (CIB) industry globally to comply with the post-crisis regulations, up until 2023, is estimated at USD 214bn per year, which represents a 60 per cent increase in spending compared to pre-crisis norms.
For a typical Tier I to Tier III CIB, this spending can represent 25 per cent of an institution’s IT budget, or it can also equate to 10 per cent of overall operating expenses. On average, Tier I CIBs or the largest non-bank brokerage firms - that is, those companies that employ around 20,000 people - will spend more than USD 200mn in compliance costs per annum.
In comparison, Tier II CIBs spend approximately USD 100mn per year. On average, across the entirety of the sellside of the financial services industry globally, the average cost of regulatory compliance equates to around USD 10k per head per year.
Regulatory compliance costs can be assessed not just by reported IT or wider Opex spending, but also in the form of fines levied on firms or institutions by enforcement actions.
For example, the UK Financial Conduct Authority issued more than GBP 4.5bn in fines between 2013 and the end of 2023, while the US Securities & Exchange Commission published a record 862 enforcement actions and 760 in 2022. When applied to the UK, specifically, FCA fines typically result in hidden costs for the firms or institutions they are imposed on; for every GBP 1mn in fines recorded by a CIB, it is estimated that:
● GBP 2.5mn is lost due to the business disruption triggered by the enforcement action;
● GBP 2mn of revenue is lost; and
● the cost of lost productivity is put at GBP 1.8mn
The chart below shows how, in the UK between 2013 and 2023, the number of Financial Conduct Authority fines recorded per year appears to follow a pattern; that is, starting in 2013, the GBP amount levied typically increased the following year and then decreased the year after, with 2016 and 2023 marking the only years in which total fines decreased two years in a row. This observation suggests that both CIBs and the UK FCA are inconsistent in their enforcement of implementation of effective risk management practices designed to offset compliance risk.
Source: FCA and GreySpark analysis
CIBs must also wear costs associated with their own, voluntary, internal business standards and hygiene factors for risk management, with an institution typically holding thousands of controls and policies within the first line of defence (1LoD) alone. As the number of internal 1LoD risk management controls and policies increases year-on-year, institutional demand for bespoke risk management software capable of handling evolving and more complex front-office operational needs grows as well.
As a result of the cost pressures created by regulatory fines associated with compliance and with market / trading risk management and by IT operations associated with internal LoDs, CIBs naturally outsource a large number of functions to external, third-party providers. According to Reuters, the number of compliance functions outsourced by global systemically important banks, for example, grew by 12 per cent in 2022 to account for 36 per cent of their total compliance activity, putting those institutions ahead of the average 30 per cent across the industry. At the same time, with the exception of Tier I CIBs, institutions typically cannot afford to fully build their own risk management systems, lacking the resources to keep up with and understand a continual stream of regulatory change such that they can quickly and strategically update applications and operational processes.
As such, when conducting technology vendor selection exercises designed to outsource risk management functions by way of automation, CIBs must identify all the controls that can be mapped into any given product or onto any one trading desk. In doing so, CIBs must consider how far the LoD process should be digitised and which solution is the right one subject to its own technological requirements. CIBs should be wary of digitising beyond the confines of the original objective, and risk undoing the capabilities of the entire estate.
In addition, GreySpark is of the view that that the implementation of GRC and risk management vendor solution(s) within any CIB and across any LoD must be both Agile in nature (due to ever-changing regulatory demands) and scalable in terms of change management or future-proofing.
For more information, take a look at our Sellside Risk Management Solutions 2024 buyers guide here.