Avoiding fines and regulatory rebuke is on the top of every compliance officer’s mind. At Relativity Fest Chicago in October 2022, Steve Luparello, former FINRA and SEC regulator, and I teamed up to discuss the findings of a recent Opimas report in the compliance session, “Reading the Signs: Regulations, Enforcements, and Post-infraction Spending.” (Download a copy here to read the report in full, and the accompanying case study; you can also still register for Relativity Fest to watch session recordings through December 16, 2022.)
In the more distant past, regulators often tolerated a sort of pantomime by financial services firms to demonstrate efforts made toward remaining compliant. This is no longer at all acceptable to regulators, who are only increasing demands on the firms they supervise.
Although efforts to avoid falling on the wrong side of the rules are now substantial, penalties remain quite common. In fact, since the year 2000, about one-third of large financial institutions have received fines totaling $50 million or more every year—from US regulatory and judicial bodies alone. On the other hand, about half of all major financial institutions received no penalties in any given year.
Distribution of Annual Fine totals from US Bodies
Although they dipped a bit in 2021 due to delayed investigations during pandemic shutdowns, fine totals remain hefty. As can be seen in the graph below (source: Regulators, Good Jobs First, Opimas analysis), the United States is by far the largest issuer of penalties within financial services, although banner fines do also come from less consistently punitive jurisdictions.
The Malaysian authorities, for example, demanded a significant settlement from Goldman Sachs for its involvement in the 1MDB corruption scandal from October of 2020. Not to be outdone, the US Department of Justice (DOJ) also fined Goldman Sachs US$2.9 billion for this interlude.
Why Does the United States Fine more than Other Countries?
While the United States is home to an impressive amount of the globe’s financial activity, it still issues a disproportionately larger amount of fines than do other jurisdictions. It is tempting to speculate about potential explanations for this phenomenon. The United States offers, through its whistleblower program, significant financial incentives for misbehavior to be brought to the attention of the authorities, which might be a factor. Perhaps the relatively high incarceration rate also indicates a unique penal culture in the United States compared to other countries. There are likely several confluent explanations for this outcome.
Even within the United States, dominion over different regulated areas is debated. For example, a deliberation is ongoing over whether cryptocurrencies should be regarded as regulated securities at all, which will determine whether the Securities and Exchange Commission (SEC) or potentially the Commodity Futures Trading Commission (CFTC) will be responsible for oversight and penalty collection in this area.
For individual headline-making violations, the fines are also often portioned between agencies. For instance, in late 2021, JPMorgan was ordered to pay the SEC $125 million and the CFTC $75 million, for lack of proper record keeping. The regulators asserted that the bank failed to ensure that employees used only monitored communications channels for business purposes.
Industry-wide Compliance Spending is Growing
Spending by financial institutions on compliance technology and operations is significant even in the best of times. Opimas anticipates that in 2022, total spending will nearly reach $26 billion, growing by about 12 percent year-on-year. Still, considering the size of fines, one could easily argue that the financial services sector chronically underspends on compliance and compliance-enabling technology.
Bearing this in mind, financial institutions can be observed boosting investment in compliance technology and personnel markedly, even before the fines are made official. The hope is that a display of responsible actions and investment in improving compliance activities will increase the likelihood that the regulator will, if not recede into the horizon altogether, at least reduce the severity of the eventual punishment.
As a part of the eventual enforcement action, firms are also tasked with remediating their risk control framework to ensure that similar infractions cannot reoccur without being identified. Work on this, including allocating budget, naturally also begins before the final notice is published.
While spending does not typically balloon until after the penalty is made official, compliance teams begin shopping in earnest for ways to improve their compliance programs as soon as regulatory scrutiny increases. A major increase in compliance spending occurs just around the time that major penalties are made public—growing up to about 80 percent, regardless of the type of regulatory infraction. The spending on technology rarely is meaningfully reduced, but the short-term spending on additional staff or manhours are typically tapered once the crisis subsides.
Growing Concern over Communications Surveillance
Historically, regulatory penalties often included language indicating a failure to implement sufficient retention and surveillance of communications channels, though this rarely was the sole reason that a financial institution was in the doghouse. A few recent exceptions include a 2018 $290,000 fine to Lightspeed Trading for its failure to identify that a representative was using a personal instant messaging account for business purposes, and a 2017 $2 million fine to Raymond James for its failure to invest enough in people and technology for the monitoring of emails. Individuals have also been held responsible for similar infractions in recent years.
Because these fines have been relatively small and rare, many firms felt reasonably comfortable simply putting corporate policies in place that clearly forbade the use of unmonitored channels. This sort of approach to meeting regulatory requirements has been particularly common for historically hard to monitor streams like voice, video, mobile, encrypted chat applications, and personal devices.
Due to the pandemic and work-from-home requirements, however, reliance on these methods of communication is only increasing. Discomfort with relying on bans is also growing rapidly due to JPMorgan’s late 2021 $200 million fine for neglecting to monitor WhatsApp and personal emails. Citigroup was also recently held responsible to the tune of $400 million, for more wide-ranging insufficiencies around risk controls.
Unmonitored personal devices also pose a serious risk to financial institutions, with Morgan Stanley, Bank of America, and several other big banks expecting to pay fines of about $200 million each.
These events are likely heralds of similar penalties awaiting financial institutions in the coming few years, especially as the backlog of investigations is dealt with. Not too long ago, financial institutions would have been aghast to receive major fines, fearing irreparable reputational damages. However, Bank of America, JPMorgan, Citigroup, Wells Fargo, Deutsche Bank, and Goldman Sachs are all still thriving even after seismic infractions. As fines have become more common and expected, the stigma surrounding them has concurrently lessened.
It bears reminding, however, that the total cost of infractions is far larger than the fine mentioned in the headlines. The loss (trading loss where appropriate), regulatory fine, legal bill to agree to the outcome with multiple regulators, and remediation project costs, must all be taken into account. In aggregate, these costs can easily dwarf the final fine amount.
Get your copy of the full report and accompanying case study here to learn more about our findings.