How to deliver a transformative financial crime remediation programme
Financial crime remediation programmes don’t tend to have the best reputation - blown budgets, scope creep and a nagging doubt that the next remediation is just around the corner are common themes. This doesn’t have to be the reality. A remediation programme can be truly transformative for an institution if built on solid foundations with clear strategy and robust governance and leadership underpinning it.
Below I have picked out some key considerations to help avoid common pitfalls. This comes from years of experience working on a variety of remediation programmes - from a small-scale uplift of a private bank’s high-risk customers to wholesale remediation of firms’ financial crime frameworks and everything else in between.
What is the root cause?
In our experience, irrespective of the size of the firm and the initial trigger, whether that is audit, FCA / Skilled Person or compliance monitoring, the tendency is to address today’s problem only, rather than think about the root cause of the issue and how it will have led to other (potentially uncrystallised) issues. This leaves the cause(s) of the initial issue lurking, waiting to rear its head and cause bigger problems, sometime in the not-too-distant future.
Considerations
Group – are you encumbered by Group systems / procedures which are not aligned to regulatory requirements? Do you have a plan to test and implement appropriate systems and local procedures?
Technology limitations – are your processes largely manual, leading to risk of human error, backlogs, inefficiencies and poor customer experience?
Procedures – how have you got comfortable that your procedures are adequately detailed and lead to consistent, regulatory-compliant outcomes to avoid re-remediation?
Is there a plan to fix the root cause(s) – identifying the root cause(s) is half the battle. Do you have a robust plan in place to remediate the root causes which aligns to your financial crime strategy and are relevant stakeholders across the firm engaged and committed to delivering change?
Short termism
At a time when there are budgetary constraints across the industry, it’s understandable that firms are likely to take decisions based on restricted financial resources at their disposal. Short term cost savings can simply be a case of deferring the bill and increasing the likelihood of future, increasingly severe, regulatory failures coupled with business restrictions and a big fine. Decisions made on the programme should be made with the medium to long term in mind throughout the lifecycle of the programme.
Considerations
Don’t run before you can walk – have you met your operational readiness criteria and have agreement from all relevant stakeholders that activity can start?
Are you knowingly walking past underlying issues - does the remedial activity you are about to embark on fix the underlying issue?
Open culture – have you fostered a culture where those involved in the remediation programme are empowered to speak up if part of the programme isn’t delivering to plan or poses a delivery risk?
Interim fixes - if the control fix is an interim measure – is there an action plan in place to implement a permanent control that can withstand business growth / change?
Documenting new / updated processes - if operational controls are uplifted as part of a remediation, does the accompanying documentation (policies, procedures and standards) reflect the changes to the framework?
Emerging issues - are there other control weaknesses that have been identified during the remediation programme where the risk is yet to crystalise which are being walked past that need to be remediated?
Resourcing
Irrespective of the size of the institution and the scale and duration of the remedial activity – it is going to impact on the day-to-day BAU activity, particularly for staff in the first and second line. Increased activity across the customer book is likely to lead to an increase in SARs, customer exits (including escalations to reputational risk forums), requests for the investigations team, customer complaints, operations teams, inbound customer contact team, quality assurance reviews, including oversight of third-party resource and countless requests to data functions.
Considerations
Oversight of contract resource – do risk owners maintain appropriate oversight of the output of the remediation function resource and take swift action when quality / SLAs are not met? Can you evidence how and why decisions were taken to onboard / offboard vendors linked to agreed KRIs and KPIs?
Capacity within BAU – are you comfortable that your capacity plans are based on reasonable assumptions (ideally based on test / pilot cases) and that BAU teams will be appropriately augmented by additional resource to support their increased workloads stemming from remediation?
Dedicated PMO – does your programme have appropriate PMO resource that will enable you to deliver on plan, manage the day to day of the project and engage with the programme sponsors / face off to senior leadership / Board?
QA – does the programme have an experienced QA team to enable you to keep on top of vendor quality, uphold standards and act as an appropriate conduit between all stakeholders?
What is the end goal?
Where firms have a clear financial crime risk management strategy, they are clear on how remediation fits into that strategy and what it will achieve. If remediation is viewed as a task in isolation to deal with a known issue without thinking of the downstream and upstream implications – it is easy to veer off course.
Considerations
Scope – are you clear on what remediation will achieve and more importantly what it won’t achieve? Can you demonstrate that the scope of the remediation programme is driven by risk as opposed to cost and are able to demonstrate this in scope documents and governance meeting minutes?
Risk based – are you comfortable articulating to the regulator how the scope is built on risk based decisioning as opposed to being driven by cost considerations?
Population – are you confident with the cleanliness of your data to enable you to define the in-scope population?
Perfection v pragmatism – is the design of your programme based on pragmatism or ideals? Chasing “perfection” is going to get in the way of progress.
Consistent messaging - do all stakeholders across the three lines of defence and your regulator understand the scope? Challenge their understanding frequently!
Regulator commitments – does the scope address specific commitments made to the regulator? If not, are you able to explain why this is the case with appropriate mitigation?
Governance
The success of the programme is heavily reliant on it being underpinned by robust governance to ensure the programme delivers according to plans signed off at board level. The importance of the project and acute interest from the regulator means governance needs to be watertight to enable you to evidence what has been done and most importantly – why!
Robust challenge - are key decisions clearly documented with robust challenge consistently evidenced? Are all relevant stakeholders involved in decision making (first- and second-line financial crime risk, operations, data / technology, legal, customer engagement / sales?) and can you evidence their approvals at the different stages of programme design and any subsequent changes?
Record keeping – is there a clear audit trail which documents what remediation sets out to achieve (and what it won’t achieve!) and the level of legal and regulatory compliance to be delivered?
Governance framework – does your remediation governance effectively interact with your wider governance framework and ensure stakeholders across the firm understand how decisions made within remediation impact on them and the same in reverse?
Definition of done – have you defined what the definition of done is for each deliverable / milestone and how each component links back to the scope? Most importantly – can you evidence how you have met the definition of done with supporting artefacts and that Board approval has been provided?
As ever, we would love to help. We can help you no matter what stage of your remediation you are at by providing subject matter experts from our financial crime practice and vastly experienced project management resource from our Change and Transformation practice. Our people will take their time to understand your business and become an intrinsic part of the collective effort.
If you would like to discuss any points above in further detail, drop me a line at greg@avyse.co.uk.
