GRC 3.0: The Future of Regulation and Governance

aml/cft cdd compliance customer due diligence financial services fit and proper proffered governance regulation Oct 27, 2021
The Future of Regulation and Governance

In my engagements with financial services professionals, I have shared my vision of the future of regulation. One aspect of regulatory engagement that I expect to change is increased supervision of the governance function in regulated firms.  

Why? Because there is no such thing as ‘good’ or ‘bad’ companies. It is the people and that all-important ‘tone from the top’ that permeate a compliance culture of a firm - regulated or not. Another why? Because monetary penalties from enforcement action are no longer dissuasive and seemingly only hurt shareholders. That, and some firms have treated penalties, ironically, as a cost of compliance. There is growing recognition amongst regulators. To really get a firm’s attention, we only need to tap their governance. However, looking at the people is only one facet. Regulators will, in my opinion, invariably drill down into the entire governance framework.


Corporate Governance and Financial Services

To be clear, the governance framework spans the implementation of policies, making decisions and risk management and the integration of compliance requirements. These aspects must all be rooted within the corporate governance framework.  

"Corporate governance involves a set of relationships between a company’s management, its board, its shareholders and other stakeholders. Corporate governance also provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance are determined." (OECD, 2015)

Diving deeper, Risk and Compliance are also interlinked with Governance.


The Three Cogs of GRC

The three cogs of GRC – Governance, Risk and Compliance – essentially work like components in an engine. Governance flows into Risk Tolerances, which drives the Compliance Framework that is injected into the procedures and operations of the firm. Culture also plays a role and may be seen as the lubricant, influenced by Governance, that is needed for a smooth-running engine. If the culture within a firm is toxic, that firm tends to have higher occurrences of issues being under-reported (both internally and externally) to stakeholders that include auditors and regulators. There may also be a high turnover of skilled staff that leads to a gap in institutional knowledge. Culture is heavily influenced by governance. Given the interconnected nature of Governance, Risk and Compliance, it is only logical for Regulators to increase their focus on Corporate Governance.

Regulators are keenly aware that a firm’s Corporate Governance framework impacts outcomes. Paraphrasing a statement made by Mr. Simon Osborne, the former CEO of the Chartered Governance Institute UK & Ireland, he observed that regulators are like a “second board” for the firms they regulate. He also remarked that, 

Run well, they can provide a clear and stable framework within those organisations can operate. Run badly, they can keep changing direction and be tempted to micro-manage.”  

What this underscores is that balance in a Regulator’s engagement is critical! Regulatory decisions cannot be arbitrary or irrational. The impact of Mr. Osborne’s words only reinforced to me that dialogue with the regulated community is vital!  


Overhauling Engines & Our Engagements

Now, more than ever, this dialogue between regulators, firms and other stakeholders is needed! In part, an effective regulator’s engagements with regulated firms can help to positively shape governance. Timely conversations focused on outcomes should balance a regulator’s holistic engagement. Appropriate ‘regulatory distance’ must also be given to ensure that firms have the ‘right-touch’ regulatory oversight and are not smothered. The outcomes that regulators can focus on for better governance include:

  • mitigating misconduct;
  • empowering a resourced compliance function; and
  • embedding accountability within the reporting lines.

Regulators are also hyper-focused on AML/CFT reviews of the firms they supervise. In that focus, the hazard exists that they become too myopic on what the root causes of AML/CFT failures are or, where they may lie. These failures are often a symptom – the knocking in the engine and grinding of gears – and not the root cause. In turn, these symptoms are not diagnosed to get to the underlying issues. 

Regulators are very good at issuing corrective actions in relation to AML/CFT deficiencies in files, yet these corrective actions sometimes do not seem to have staying power. Another why? Compliance alone cannot achieve compliance! Where the objectives of senior management and the Board diverge from compliance, the best-intentioned compliance professional will be as fast as a performance vehicle spinning its wheels on a rolling road! The speed will be there, but they will go nowhere fast.

In financial services firms that are driven to achieve quotas on tighter timelines, a regulatory requirement for deferral of bonuses can be very useful. Profit margins and self-serving agendas within the senior management are examples of other factors that influence bad behaviour that can rationalise willful non-compliance. These can lead to serious breaches, including sanctions-busting, skirting CDD requirements and not spending monies on staff training or systems development.  

To disincentivise predatory behaviour and potential misconduct, regulators are now requiring deferred remuneration for senior managers. This is geared towards eliminating the reward of the bad behaviour of senior executives that may not be evident in the short-term reporting. Provisions are being introduced in some countries to enable claw-back of compensation in other instances.  

Most regulators use other powers to address misconduct. Regulatory action, including the use of censures, disqualifications and lifetime bans as an enforcement action in response to bad behaviour. However, these are largely reactionary and have limited, if any, impact on the ongoing GRC culture.


Future Focus – Situational Awareness is critical!

It is not a matter of if regulators will have to take a fuller integration of corporate governance into its regulatory oversight. It is the direction in which all regulators will move! The use of technology in core regulatory functions will quickly increase. SupTech will allow certain prudential key performance indicators (KPIs) to be quickly addressed, leaving time for more nuanced assessments of governance.  

Governance drives a firm’s culture, and culture influences compliance. Because of this, regulators’ focus on Corporate Governance issues, and their enforcement actions against individuals will increase! Regulators may require firms to integrate other layers – such as a strong internal audit function and use of company secretaries – to improve governance, adherence to statutes and better mitigation of risks. These areas will also likely fall in the scope of the regulatory inspection process with increasing frequency. If you are a future-focused director, senior manager or compliance professional, you need not wait for a regulatory mandate.

Consider what you imbue into your firm’s GRC framework. It is not enough to treat integrity, disciplined management and empathy as a ‘bae salt’ addition to the framework, just as you wouldn’t drizzle oil into the sump and expect everything to run smoothly. Ethics, values and accountability need to permeate your firm like a well-oiled machine. Failing which, your GRC framework will grind and crack under the strain of pistons, gears and drive shafts that no longer support compliance.



OECD (2015), G20/OECD Principles of Corporate Governance, OECD Publishing, Paris.