Governance, Risk & Compliance: GRC
Risk & Compliance Fines Add Up as 2020 Closes; Inadequate Internal Controls Are a Common Culprit
There are (still) no shortcuts in risk management, and financial services regulators have kept their attention on Internal Controls functions.
A spate of examples emerged in October when the U.S. Office of the Comptroller of the Currency (OCC) announced significant fines against big banks for failing to address compliance and risk management deficiencies – and internal controls are at the heart of the problem.
Bloomberg Law summarized the OCC’s actions with an at-a-glance view of risk management problems identified by the regulator at these major financial institutions.
A Seattle-based threat data analysis firm for the security community dug deeper, looking at the tally of fines from August to October of 2020. F5 Labs added up $625 million in fines against financial institutions, including Citibank’s eye-opening $400 million fine, Morgan Stanley and USAA Bank. One notable outcome is the resignation of Citigroup’s Chief Risk Officer as the bank works to overhaul its enterprise risk management approach. The Federal Reserve Board took related enforcement action against Citigroup separate from the OCC, issuing a cease and desist order requiring the company to improve its risk management practices, including in the areas of compliance risk management, data quality management and internal controls.
An interesting counterpoint was uncovered by the FCPA Blog in the OCC’s report: Citigroup disclosed that 15 percent of its staff – or 30,000 employees – are categorized as “risk, regulatory and compliance staff,” up from 4.3 percent 10 years ago. The blog dug into the OCC report to try to understand if an “army of risk and compliance personnel” improved or hindered Citibank’s risk mission in an environment of “extensive and frequently changing regulatory and legislative requirements.” FCPA’s Richard Cassin raises some good points, worth a read.
The OCC kept moving in November, citing inadequate internal controls and internal audit and deficient risk management practices, as well an “insufficient framework” for avoiding conflicts of interest in a $250 million fine in a consent order with JPMorgan Chase. The OCC noted in its statement that JPMorgan Chase was remediating the deficiencies that lead to the fine.
In Europe, Goldman Sachs is facing nearly $3 billion in fines with FCA and PRA in the UK, FED in the US, and authorities in Singapore for risk management failures.
Financial institutions are said to be rushing to take fines and settle outstanding issues with authorities, the American Banker said, to get ahead of President-elect Joe Biden appointing more aggressive regulators who may take tougher positions. The magazine reported that financial institutions had racked up more than $4 billion in U.S. fines in a wave of settlements before the election. Meanwhile, the SEC has sent warning signals to companies to pay attention to another aspect of internal controls: governance of senior executive, or insider, stock sales.
“Significant fines against big banks serve as important reminders that ongoing failures to correct longstanding compliance and risk management deficiencies will have consequences,” a Bloomberg legal analyst wrote in a summary of the recent ongoing risk management failures.
Keys to implementing a strong internal controls program
Given the growing risk landscape and rapidly changing business climate, organizations are demanding agile and transformative internal control approaches that respond to today’s corporate challenges. C-suite executives need to feel confident that their lines of defense are leveraging technology to manage those risks effectively. However, the 2020 pandemic may have seen company leaders try to reduce costs to compensate for profitability shortfalls due to business interruption related to Covid-19 by diverting internal controls resources.
An effective internal control program is crucial to success in today’s rapidly changing business environments. Moving beyond spreadsheets and other tools to a purpose-built, intelligent and automated solution can provide the C-suite confidence that unwanted risks are adequately addressed, laws and regulations are being adhered to, financial statements are accurate, and resources are allocated appropriately. Executive leaders must seek solutions that provide real-time access and value-added analysis to help ensure their organization’s internal control program is supporting corporate goals and business outcomes.
For 2021, implementing a modern internal control program is easier than you think – read more insights in our white paper.
Learn more about our solutions to streamline internal controls and SOX compliance.
Or, request a demo to see how we've helped organizations like yours.