‘The most insidious risk of all is the risk of complacency’ – OSFI

In December 2022, the U.S. Department of Justice (DOJ) Deputy Assistant Attorney General Nicole Argentieri made a bold endorsement of proactive compliance. Speaking about the “clearest path for a company to avoid a guilty plea or indictment”, Argentieri said:

“The message here is clear. Do not wait for us to call you. By then, it’s too late.”

Argentieri was certainly not alone in her remarks, instead echoing myriad other regulators and supervisory bodies who have called for proactive compliance. Now, it is the turn of Canadian Regulator, the Office of the Superintendent of Financial Institutions (OSFI), who has announced that it will base its strategy “on a bias towards action”.

Talking at the recent RBC Capital Markets Bank CEO conference, OSFI Superintendent Peter Routledge set out how the regulator will tackle the current “perilous risk environment – one in which the visible risks are quite daunting and the unseen risks over the horizon could yet swamp those visible risks”.

Drawing on examples such as Russia’s invasion of Ukraine, the rise and fall of crypto, and the increase in inflation, Routledge notes that the risks to financial services are becoming increasingly unpredictable. The only way to mitigate these risks is by developing a “bias towards action”, he says.

In particular, OSFI sets out four main areas of focus for proactivity:

1. Ensuring that Canadian federally regulated financial institutions (FRFIs) are well capitalized with ample buffer to absorb shock

2. Advancing resilience to the risks and opportunities triggered by climate change

3. Ensuring Canada’s financial system has the capacity to manage the opportunities and risks of the digitalization of financial services

4. Place greater focus on governance and the risks that occur where governance is inadequate

Proactive compliance from the regulator will trickle down to the regulated

Routledge’s remarks echo those of Financial Conduct Authority (FCA) CEO Nikhil Rathi who, in July 2021, said that the FCA would transform to a “forward looking, proactive regulator”. Indeed, OSFI is not the first regulator to commit to proactivity, nor will it be the last. What is notable, however, is the context around OSFI’s remarks, which are delivered at a time of significant economic and societal turmoil.

In order to maintain stability for financial services, Canada’s regulator understands that it cannot wait for market events to unfold before it. As Routledge recognizes, “we would rather err on the side of acting too early than be criticized for acting too late”.

This is a sentiment that will likely resonate with compliance and legal teams the world over, who are set on a near-constant path of predicting risk and acting before that risk materializes. The difference being, however, that compliance teams will often be looking to their respective regulators for guidance.

If OSFI is to be more proactive, as it has committed to, we will likely see a trickle-down effect of increased pressure on firms to be equally as proactive. If the regulator is responding to risk in a more agile way, so too must those that they regulate. This has certainly been the case in the UK where, since Rathi’s announcement in 2021, the FCA doubled its activity in the following year.

How can firms ensure proactive compliance?

There are a number of key ways that firms can be more proactive and avoid the perils of increased regulatory scrutiny:

1. Scan the horizon for regulatory change and emerging trends

While powerful, regulators are seldom original in their focus and will look to their foreign counterparts to form their own regulatory regimes. For example, where the EU led the way for Operational Resilience with the Digital Operational Resilience Act (DORA), the UK followed suit with its own Discussion Paper. The same is true in the case of compliant communication – where the US currently leads the way, the UK will likely follow.

In order to succeed, compliance teams should be looking ahead for regulatory change to anticipate what might come next. A forward-thinking approach is the quickest route to proactivity and, in turn, future-proof compliance.

2. Invest in technology or solutions ahead of time, to ensure you can meet emerging compliance needs from day one

Understanding emerging regulatory approaches and requirements is one thing, being able to comply ahead of time is another. As Routledge noted in his speech;

“To be clear, this work is not being prompted by a specific incident, but rather to ensure that we are prepared for both the seen and unforeseen risks on the horizon.”

This approach should be heeded by financial institutions who should act not because they are remedying an error, but because they are preventing that error from happening in the first place. Having established areas of emerging regulatory focus, ask yourself whether you’d stand up to regulatory scrutiny. If the answer is no, invest in the technology or solutions to change that ahead of time.

3. Ensure you have adequate supervision measures to spot bad practice, before it’s too late

In short, this means keeping your eyes open for bad practice and not feigning ignorance where you see it in action. As Routledge commented;

“The most insidious risk of all is the risk of complacency.”

Firms should be actively supervising the activity of their company to ensure that bad practice is prevented, or swiftly remedied where it does occur. As seen from recent enforcement action, there is no greater compliance sin than seeing bad practice and failing to act.

Looking ahead, consider whether a restrictive approach to compliance is an effective solution, or whether it pushes bad practice underground. In the case of compliant communications, for example, banning channels often just makes room for illicit comms.

Empowered, proactive compliance won’t only make yours and others jobs easier, it might just save you from regulatory enforcement.

Global Relay empowers firms to take control of compliant communications by enabling WhatsApp, text, instant message, and voice – capturing it all and placing it in a single, intelligent archive.