compliant with this ever expanding financial legal framework. Particular ... Keywords: financial regulation, supervision, compliance, information technology ...
KU Leuven Faculty of Law Research Unit of Economic Law
DRAFT October 2015
Systematization as a response to regulatory expansion in the financial sector
Veerle Colaert Financial Law Professor KU Leuven
1
Systematization as a response to regulatory expansion in the financial sector Veerle Colaert Financial Law Professor – KU Leuven
Abstract In the aftermath of the financial crisis, the financial sector was hit by a tidal wave of new legislation. This contribution examines the often neglected question of how financial institutions can remain compliant with this ever expanding financial legal framework. Particular attention is given to the potential of systematization to ensure abidance with the law. Systematization indeed holds the promise of considerable gains in terms of increased efficiency and reduced risk of individual errors and liability in this context. On the other hand, the author identifies considerable disadvantages of systematization, such as its high costs, the problematic side-effects of “dehumanization” and new types of systemic risk. As systematization nevertheless seems to be one of the very few answers to the compliance challenge, the author presents several strategies to remedy or reduce each of these disadvantages. Keywords: financial regulation, supervision, compliance, information technology
2
Introduction ............................................................................................................................................ 4 I. How the law contributes to financial stability: three aspects ……………………………………………….3 A. Financial regulation ..................................................................................................................... 4 B.
Financial supervision ................................................................................................................... 6
C.
Compliance .................................................................................................................................. 7
II. Systematization as solution to the compliance challenge? ........................................................... 10 A.
Background................................................................................................................................ 10
B.
Benefits of systematization ....................................................................................................... 12 1.
Increased efficiency ............................................................................................................... 12
2.
Reduced risk of individual errors........................................................................................... 13
C.
Disadvantages of systematization ............................................................................................. 14 1.
Inaccurate systems lead to systematic errors ....................................................................... 14
2.
Costs ...................................................................................................................................... 20
3.
Dehumanization .................................................................................................................... 24
D.
Perspectives: Customer Relationship Management (CRM) ...................................................... 26 1.
Customer Relationship Management (CRM) ........................................................................ 26
2.
Admissibility of the use of client information for CRM purposes ......................................... 27
3.
CRM and the compliance challenge ...................................................................................... 29
III. Conclusion ........................................................................................................................................ 30
3
Introduction Tidal wave of new legislation. In the aftermath of the recent financial and economic crisis the financial sector was confronted with an “unprecedented regulatory outpouring”1, setting out to increase financial stability.
1.
Staying afloat. The contribution of the law to a stable financial sector is usually claimed to rest on two pillars: watertight regulation and efficient supervision.2 Less widely discussed is the question how financial institutions can succeed in mastering and abiding with the vastly expanded regulatory framework. This contribution is dedicated to that question. 2.
After having set the scene by briefly describing the role of the regulator, the supervisor and financial institutions in ensuring financial stability, this paper concentrates on the compliance challenge that financial institutions are facing. The question is raised to what extent compliance with financial regulation can be built into a system, IT or other. Systematization promises important benefits in terms of increased efficiency and reduced risk of individual errors when complying with financial regulation. On the other hand there appear to be considerable disadvantages, such as high costs, the problematic side-effects of “dehumanization” and new types of systemic risk resulting from the use of systematization as a means of facilitating compliance with financial law. By way of conclusion the interaction between regulation, compliance and supervision is reexamined, underlining the crucial role of financial supervision as an intermediary between legislator and financial institutions.
I.
How the law contributes to financial stability: three aspects A. Financial regulation
Goals of financial regulation. Financial law is traditionally said to pursue three main goals with a view to the proper functioning of financial markets: market stability, market integrity and consumer protection.
3.
Whereas consumer protection and market integrity are objectives that are also at the basis of other areas of law, market stability is an objective that is unique to financial law. The importance of stable markets is tied in with a risk that is specific to the financial sector: systemic risk. The notion of systemic risk refers to the risk that a certain event or situation
1
Expression used by Jeffrey N. Gordon and Wolf-Georg Ringe, ‘Bank Resolution in Europe: the Unfinished Agenda of Structural Reform’ in Danny Busch and Guido Ferrarini, eds., European Banking Union (Oxford University Press, 2015). 2 High Level Group on Financial Supervision in the EU, Report (February 2009) (De Larosière Report) 38 nr. 144: “Regulation and supervision are interdependent: competent supervision cannot make good failures in financial regulatory policy; but without competent and well-designed supervision good regulatory policies will be ineffective. High standards in both are therefore required.” Also: HM Treasury, A new approach to financial regulation: judgment, focus and stability (2010) 28: “… without effective supervision and enforcement, the rules will ultimately lack credibility”.
4
causes a chain reaction that results in a breakdown of the entire financial system that is serious enough to quite probably have significant ripple effects on the real economy.3 European objective – Level playing field. When it comes to European financial law, however, the overarching objective consists of creating a level playing field across the EU. The European legislator has indeed not failed to recognize the importance of the financial sector as a driving force of economic growth.4 Legislation in this domain has therefore been driven, perhaps even more than in other sectors, by the urge to further the completion of an internal market. The European legislator indeed seeks to eliminate legal impediments that affect both financial institutions’ and consumers’ ability to operate in other Member States than their home state. This “integration goal” is the underlying rationale and justification of EU financial regulation. Only in a second stage substantive objectives – consumer protection, market integrity and market stability – come to the fore in order to steer the content of the harmonized rules.5
4.
International objective – containing worldwide systemic risk. Financial law standards are increasingly developed at the international level. Unlike at the European level, however, these standards do not aspire to create a global market for financial services, but intend to provide an answer to the unstoppable globalization of the financial sector. Globalization has increased cross-border interconnectedness of financial institutions, as a consequence of which the reach of systemic risk substantially widened. International codes of conduct attempt to reduce such worldwide systemic risk by introducing the same high level standards across the globe.6 This should prevent a flight to the least regulated financial market and a so-called “race to the bottom”.7
5.
6. A spiral of expanding financial regulation? In their turn, the internationalization and Europeanization of financial law facilitate further globalization, as financial institutions face fewer regulatory hurdles when offering cross-border services. As a consequence, local
3
See, for example, Richard J. Herring and Anthony M. Santomero, ‘What is optimal financial regulation?’ in The st New Financial Architecture: Banking Regulation in the 21 Century (Benton E. Gup ed. 2000) 52; George G. Kaufmann and Kenneth E. Scott, ‘What is systemic risk, and do bank regulators retard or contribute to it’, (2003) Vol.II nr. 3 The Independent Review 371; G10, Report on Consolidation in the financial sector (January 2001) 126 . Art. 2 (c) ESRB Regulation (EU) Nr. 1092/2010 provides an EU definition: “a risk of disruption in the financial system with the potential to have serious negative consequences for the internal market and the real economy. All types of financial intermediaries, markets and infrastructure may be potentially systemically important to some degree.” 4 The European Commission’s slogan for one of its latest financial integration projects, the Capital Market Union, is revealing in this respect: “Unlocking funding for Europe’s growth”. See European Commission, ‘Unlocking Funding for Europe's Growth - European Commission consults on Capital Markets Union’ (Press Release, 18 February 2015) . 5 See also Niamh Moloney, 'Investor Protection and the Treaty: An Uneasy Relationship' in G Ferrarini , KJ Hopt and E Wymeersch (eds) Capital Markets in the Age of the Euro (OUP 2002) 48. 6 Examples abound: among others, there are the numerous standards of influential committees like the Basel Committee on Banking Supervision (for example with regard to minimum capital requirements for banks see, e.g. references in footnotes 12, 22, 43); the International Association of Deposit Insurers (for example “Core Principles for Effective Deposit Insurance Systems. A methodology for compliance assessment”, December 2010); IOSCO (see, for example, reference in footnote 8). 7 See, for example, Gillian G.H. Garcia and Maria J. Nieto, ‘Preserving financial stability: a dilemma for the European union’ (2007) 457 Contemporary Economic Policy 25: “It is recognized that globalization involves benefits and challenges – the latter including the need to preserve financial stability when banks cross national borders while the laws and regulations that govern them and the safety nets that protect them do not”.
5
financial problems take an international systemic dimension even more quickly.8 Thus far the standard reaction of the European and the international legislator to such issues has been to further expand the regulatory framework.9
B. Financial supervision Supervision. Apart from financial legislation, a second pillar of a well-functioning financial law system is supervision by a dedicated public authority.10 Below, the main objective and the method of financial supervision will be briefly summarized. 7.
8. Main objective. The main objective of financial supervision is to maintain the public’s confidence in the proper functioning of the financial market and the financial sector’s compliance with financial regulation.11 In our view the goal of financial supervision is therefore to induce financial institutions to implement structural measures to ensure compliance, rather than to ensure that financial law rules are fully complied with in each individual case.
This implies that public law supervision is mainly concerned with the organization, structures and standard documentation of financial institutions.12 Structural problems and resulting infringements must be dealt with by public law supervision.13 Financial supervisors should conversely not be concerned with individual irregularities which are the consequence of an
8
The IOSCO Task Force on Cross-Border Regulation mentions as goals of “passporting”, among other things, “to facilitate market access, enhance competition and improve capital flows by providing market participants with efficient access to the entire EU market” on the one hand, and, on the other, “to guard against systemic risks in the face of increased access to foreign services, products and market infrastructures” See IOSCO Task Force on Cross-Border Regulation, Consultation Report (CR09/2014) 30. See also Mads Andenas and Iris H.-Y. Chiu, ‘Financial Stability and Legal Integration in Financial Regulation’ 336 European Law Review (2013) 38: “Commentators have supported legal integration in EU financial regulation on the basis of the high actual level of market integration in the wholesale financial and banking sectors. Market integration has resulted in increasing levels of cross-border activities, which could give rise to issues of supervisory efficacy and crisis management in case of cross-border spill-over effects.” 9 As indicated below (footnote 18), some people advocate another solution, downscaling. This, however, is not the path the European and international legislators seem to follow today. 10 See footnote 2. The structure of financial supervision has been reformed extensively both at national and at EU level. About the reform of the European supervisory structure, which introduced three “European Supervision Authorities” from 1 January 2011 onwards, see, for example, Eilis Ferran, “Understanding the New Institutional Architecture of EU Financial Market Supervision”, in G Ferrarini, KJ Hopt and E Wymeersch (Ed), Financial Regulation and Supervision: A post-crisis analysis (OUP 2012), 111-158. On the introduction of a European “Single Supervisory Mechanism” in the banking sector as a first pillar of the banking union, see, for example, E. Ferran and V. Babis, ‘The European Single Supervisory Mechanism’ (2013) 13 Journal of Corporate Law Studies 255-285. 11 See, for example, I. Giesen, Toezicht en aansprakelijkheid (Kluwer 2005) 31, 33 and 34. 12 Accord: Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk 2 (June 2011): “Supervisors conduct, directly or indirectly, regular independent evaluations of a bank’s policies, processes and systems related to operational risk as part of the assessment of the Framework”. 13 Accord: A. Scheltema and M. Scheltema, Financieel toezicht in bestuursrecht en privaatrecht, (Wolters Kluwer 2009) 44.
6
accidental individual error. If need be, these mistakes should be sanctioned under private14 or criminal law.15 That is not to say that a financial institution’s relationship with individual clients is irrelevant to public law supervision. The inspection of structures and documentation can be complemented with a random sample assessment of individual client relationships, as specific infringements in an individual client relationship are often indicative of a more general, structural problem. Complaints of individual customers can on the other hand trigger a more thorough screening of the financial institution in question. Supervision and compliance. The finality and the focus of public law supervision indicate how financial institutions should approach the compliance challenge: the emphasis should be on an internal organization that structurally enables correct compliance. 9.
The creed of the financial supervisor, in other words, seems to evolve ever more explicitly from “comply with the rules” to “be organized so as to ensure compliance with the rules”.16
C. Compliance by financial institutions 10. Importance of compliance. Financial regulation aims to promote market stability, market
integrity and investor protection. These objectives are however far from being reached if financial institutions do not manage to ensure consistent compliance. Financial supervisors will therefore monitor whether financial institutions comply with financial regulation. It is however the financial institutions that are responsible for ensuring compliance. Whether and how to cope with the recent flood of financial regulation, let alone ensure compliance, is one of the most contentious questions in the financial sector today. 11. Compliance requires scale – risks. Compliance with the rules is of course important in all
parts of society. The explosive increase in the number of regulations, usually complex and sometimes ambiguous, explains why compliance pain is felt more acutely in the financial than in sector. More than ever compliance with all these rules requires a certain scale. Employing a small team of legal advisors and compliance officers is unlikely to suffice for ensuring compliance with the legislative framework. Therefore small financial institutions in particular grapple with the flood of new rules and threaten to be “regulated out of the market”. Large institutions can more easily deal with the regulatory challenges and may spot take-over opportunities.17 14
For instance in case of an infringement of a MiFID conduct of business rule, which is not the consequence of a structural problem, and which causes damages to an individual client. 15 For instance in case of insider dealing or market abuse. 16 See, for example, ESMA, ‘Guidelines on certain aspects of the MiFID suitability requirements’ ESMA/2012/387. The second and eighth guidelines strongly emphasize policy rules and procedures with a view to compliance with the ‘know-your-customer’ requirements. On this issue (in Dutch), see Veerle Colaert, De MiFID geschiktheidsbeoordeling: naar een beter georganiseerde kennis van cliënt en product, (2012) Bank- en financieel Recht 268, nr. 143. 17 See, for example, Joshua Siegel quoted in an article by Christine Harper, ‘Too Big to Fail Rules Hurting Too Small to Compete Banks’ Bloomberg (28 February 2013) : “Small banks will seek mergers because their management teams are aging and new regulations are too costly to bear, he says. If you need one major
7
A further increase in the number of mergers in turn would raise the number of “systemically relevant institutions”18 and would correspondingly increase systemic risk. Prominent economists therefore plead for a limitation of scale and smaller financial institutions.19 This begs the question how to reconcile small scale financial institutions and consistent compliance with an imposing regulatory framework. Some financial legislation expressly indicates that its application should be proportional and that the regulatory framework should be geared to the diversity in size, structure and operation of financial institutions.20 This should however not imply that smaller financial institutions can be less scrupulous when it comes to compliance with the rules, or that the supervisor should less meticulously inspect them. The depositor/investor should obviously enjoy just as much protection when he or she makes use of services offered by small
overriding theme of the industry in the next three, five, seven, 10 years: massive consolidation, thousands of banks,” says Siegel, whose firm managed $ 5.1 billion as of the end of last year and invests in small banks. In the U.S., “I do see probably anywhere from 2,000 to 4,000 banks being swallowed up, and what you’ll see then is a more concentrated system”; further on in that article also “JP Morgan’s Dimon, a critic of regulations he views as unnecessary or excessive, has recently touted the benefits. He told Citigroup analysts this month that new rules will help banks such as JPMorgan, the largest in the U.S., win market share from smaller competitors, the analysts wrote in a report. In Dimon’s view, they wrote, the changes will make it more expensive and tend to make it tougher for smaller players to enter the market, effectively widening JPM’s ‘moat’. The new rules, it turns out, may be doing more to shield banks from competition than to make them safer.” Also: Tracy Aloway, ‘Regulations hit smaller US banks hardest’ Financial Times (London, 8 February 2015): “’What if Dodd-Frank created a too-small-to-succeed problem in addition to the too-big-to-fail problem?” said Mr Lux, who is based at the Mossavar-Rahmani Center for Business and government at Harvard’s John F. Kennedy School of Government’ … Regulators have been trying to walk a fine line between easing burdens on smaller banks and ensuring that the sector remains under control – with many arguing that the US was overbanked before the financial crisis and in need of consolidation … ‘It does seem like smaller institutions are the hardest hit “said Robert Greene’, Mr Lux’s research assistant. ‘There are economies of scale when dealing with regulation’.” 18 Willem Buiter expressed this very eloquently, see Willem Buiter, ‘Too big to fail is too big’ Financial Times, Willem Buiter’s Maverecon (London, 24 June 2009 3.03 am) : “The too big to fail problem has been central to the degeneration and corruption of the financial system in the north Atlantic region over the past two decades. The ‘too large to fail” category is sometimes extended to become the ‘too big to fail’, ‘too interconnected to fail’, ‘too complex to fail’ and ‘too international’ to fail problem, but the real issue is size. … Size is the core of the problem; the other dimensions (interconnectedness, complexity and international linkages) only matter (and indeed worsen the instability problem) if the institution in question is big.” 19 See, for example, Francesco Vallascas and Kevin Keasey, ‘Bank resilience to systemic shocks and the stability of banking systems: Small is beautiful’ (2012) 31 Journal of International Money and Finance 1745. A similar opinion is voiced by Nouriel Roubini: “If a financial institution is too big to fail, it’s too big. If it’s too big, we should break it up”, cited by Ian Guider and Louisa Fahy, ‘Roubini says bank mergers may create ’Bigger Monster’ Bloomberg (5 November 2009) . Also see Paul De Grauwe, ‘Maak de Belgische grootbanken niet nog groter’ De Morgen (Brussels, 3 November 2014) Compare with the following Australian measure: “Australia has followed a clear and sound competition policy with the Four Pillars approach to its major banks (the four medium-sized oligopolies are not permitted to merge and hence they did not compete excessively in the securities area).” (OECD, The financial crisis. Reform and exit strategies (2009) 19 < http://www.oecd.org/daf/fin/financial-education/43091457.pdf>). Contra e.g.: Jean Dermine and Dirk Schoenmaekers, ‘In banking is small beautiful?’ (2010) 19 Financial Markets, Institutions and Instruments 1. 20 See in particular recitals 11 and 22 (1) of the MiFID Implementing Directive 2006/73/EC and article 74 CRD IV Directive 2013/36/EU; see also Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, (June 2011) 2.
8
institutions. Only in particular circumstances a smaller institution will require less complex compliance structures and systems, for instance if it is involved in less diverse activities. The mere amount of new regulation poses a problem to large financial institutions as well. It becomes extremely difficult to grasp the whole picture: the entire structure of the financial institution, the entirety of its activities, the entirety of its possible risks, all of the rules that are to be complied with. No one person can keep an overview.21 22
12. Compliance function. The introduction of a mandatory “compliance function” as one of 23
the three independent “control functions” within a credit institution was an important evolution in this respect: it emphasizes the importance of correct compliance and indicates that such compliance is less evident in the financial sector than in many other domains. The compliance function serves to manage the compliance risk, i.e. the current or prospective risk to earnings and capital arising from violations or non-compliance with laws, rules, regulations, agreements, prescribed practices or ethical standards.24 It should advise the management body on laws, rules, regulations and standards the institution needs to meet and assess the possible impact of changes in the legal or regulatory environment.25 It should assess the appropriateness of the bank’s compliance procedures and guidelines, promptly follow up any identified deficiencies, and, where necessary, formulate proposals for amendments.26 The compliance function should further verify that new products and new procedures comply with the current legal environment and any known forthcoming changes.27
21
Credit institutions are therefore required to create an “RCF” or “Risk Control Function”, which should ensure that “each key risk the institution faces is identified and properly managed” and that “a holistic view on all relevant risks is submitted to the management body”. See EBA, ‘Guidelines on Internal Governance (GL44)’ BS 2011 116 definitive, 38, para 25.2 . See also below nr. 25. 22 At the international level, the Basel Committee on Banking Supervision has published a high level paper on “Compliance and the compliance function in banks” in April 2005. More recently At the European level EBA published guidelines on internal governance in September 2011, which specified the need for a compliance function and the principles which this function should satisfy. See in particular paragraph 28 (3): “An institution should establish a permanent and effective Compliance function and appoint a person responsible for this function across the entire institution and group (the Compliance Officer or Head of Compliance).” (EBA (n 21), 43 para 28 (3)). With respect to investment services, ESMA subsequently issued ‘Guidelines on certain aspects of the MiFID suitability requirements’ (ESMA 2012/388). 23 See art. 22 and annex V of CRD IV Directive 2013/36/EU; EBA (n 21) 12, para 8.2 (h): “The key responsibilities of the management body should include setting and overseeing (…) an adequate and effective internal control framework, that includes well-functioning Risk Control, Compliance and Internal Audit functions as well as an appropriate financial reporting and accounting framework.” 24 Basel Committee on Banking Supervision, Compliance and the compliance function in banks (April 2005) 13, principle 7; EBA (n 21) 43, para 28.1-2. 25 Basel Committee on Banking Supervision, Compliance and the compliance function in banks (April 2005) 13, para 35; EBA (n 21) 43 para 28.5; Basel Committee on Banking Supervision, Guidelines. Corporate governance principles for banks (July 2015) 31, principle 9, para 135. 26 See, for example, Basel Committee on Banking Supervision, Compliance and the compliance function in banks (April 2005) 14, nrs. 36 and 39. 27 Basel Committee on Banking Supervision, Compliance and the compliance function in banks (April 2005) 13, para 35; EBA (n 21) 43 para 28.6.
9
This description of the compliance function confirms the idea that, given the amount of regulation, compliance should not merely depend on knowledge of the rules by all employees confronted with them. The creation of a compliance function which is formally responsible for ensuring compliance is however only part of the compliance challenge. In small financial institutions the compliance function is sometimes performed by one person only, which is often at the same time also head of the legal department.
II.
Systematization as solution to the compliance challenge? A.
Background
13. Systematization. Today, the solution to the compliance challenge lies increasingly in
systematization. In order to be able to cope with the wide range of rules of financial law, compliance with these rules will to the extent possible be built into a system, usually an IT solution. A series of data is fed into the system and the computer, as it were, ‘spits out’ a compliant solution. Of course, financial markets participants have been using systematization for a long time. Rating agencies have been using models for years to award ratings to institutions or financial products.28 Automated credit scoring systems are also commonly used in the domain of credit provision in order to determine whether and on which conditions a company or consumer can be granted credit.29 In these instances of systematization, automation preceded legislation: the legislator provided a legal framework for these systems only after they had already been used for decades (infra numbers 36, 37 and 39). However, it is becoming increasingly common to build systems in order to facilitate compliance with the law. This tendency can be observed in the most widely divergent aspects of financial regulation. By way of illustration, a number of examples are developed below. 14. Example 1 – AML. Anti-money laundering legislation requires financial institutions to report suspicious transactions. In order to detect these, all client transactions must be tested against a number of criteria. Computer software facilitates this task through automated transaction monitoring.30 Financial institutions build systems which generate an automatic 28
Originally, rating agencies only used these models to determine ratings in an efficient manner, not to facilitate compliance with the law. Since the crisis, the legislator has subjected the use of these models to very strict rules (see nrs. 29 and 32). The problems experienced with the use of models by rating agencies during the crisis are nevertheless illustrative of the challenges of systematization in general (see nr. 23). 29 Data about the consumer’s income, financial burdens, but also credit history (has he or she ever been in arrears?) and even his or her place of residence determine the probability of the consumer’s incapacity to pay back a credit. Based on these data, a lower or higher interest rate is charged (if the credit is granted). On this issue, see, for example, Lyn C. Thomas, David J. Edelman and Jonathan N. Crook, Credit Scoring and its Applications (SIAM 2002) 1 and 3. 30 See, for example, Tim Worstall, ‘Standard Chartered Faces Another, Absurd, Anti-Money Laundering Fine’ : Opinion (8 July 2014) .
10
alert (e.g.) whenever a large cash transaction31 or an otherwise abnormal transaction occurs in the account of a client32. Reporting of suspicious transactions thus no longer exclusively depends on the attentiveness of individual staff members; instead, every suspicious transaction is flagged automatically. A competent staff member (usually the compliance officer) will in a second phase assess whether the internal alert should result in a report. 15. Example 2 – Conflicts of interest. Another instance where computer software has
become an essential tool is to comply with regulation on the avoidance of conflicts of interests. The Markets in Financial Instruments Directive requires that investment firms and credit institutions organize theirselves so as to to prevent conflicts of interest from adversely affecting the interests of their clients.33 Financial institutions make use of, for example, compartments in the information system (“Chinese walls”), so that members of staff only have access to the information they really need (“need to know basis”). Access to certain delicate information requires an authorization. In order to avoid conflicts of interests, client data and data of any parties involved in a transaction have to be fed into the system before opening a new dossier. The computer system then allows, despite the Chinese wall, to detect potential conflict of interest situations. These are subsequently submitted to the competent person within the financial institutions – usually a compliance officer – who gives instructions on the how to deal with the situation.34 16. Example 3 – Know your customer. In a more recent development systematization as a
solution to the compliance challenge is introduced in the relations between a financial institution and its clients. Financial institutions which are active in portfolio management or provide investment advice for instance, make use of systems to link a suitable product to the right customer. If a financial institution wants to provide a client with personalized investment advice or portfolio management, it should ask the client about his knowledge and experience, his investment objectives and his financial situation (so-called “know-your-customer obligations”).35 On the basis of his answers, the client’s investment profile emerges. Traditionally such an investment profile was drawn up during an informal conversation between a bank employee and the client. Today, the client is requested to fill out an elaborate, standardized questionnaire – in some cases during a meeting with an employee of the bank, but increasingly often in an online environment. This method does not leave much room for flexibility. The system must be followed. There is usually no possibility to skip questions that are less relevant for a particular client. Many clients therefore experience this questionnaire as an administrative burden and an intrusion into their personal lives.36
31
Art. 7 (b) of Money Laundering Directive 2005/60/EC; article 10 (b) of the Proposal for a new Money Laundering Directive COM/2013/045 final. 32 Art. 8 (1)d) of Money Laundering Directive 2005/60/EC; art. 11 (1)d), 13 (3) and 16(2) of the Proposal for a new Money Laundering Directive COM/2013/045 final. 33 Art. 16 (3) of directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU [2014] OJ 173/349 (MiFID II), previously art. 18(2) of MiFID I 2004/39/EC. 34 35
Art. 25 of MiFID II Directive 2014/65/EU. Recent ESMA Guidelines recognize this problem and therefore requires that financial institutions should inform clients, clearly and simply, that the reason for assessing suitability is to enable the firm to act in the 36
11
In a second phase the answers to the questionnaire are processed automatically: each answer is given a score and an importance factor. On that basis, the client is given a total score which situates him in one of five or six predetermined investor profiles which the financial institution has developed. He is catalogued as a customer with a defensive or conservative profile if he is risk-averse, has less knowledge and experience and/or a lower financial capacity; he has a dynamic or progressive profile when he is prepared to run more risks of loss on the financial markets, has more knowledge and experience and/or a higher financial capacity.37 Financial institutions also classify each product offered to their clients according to product risk and complexity. In a final phase, each of the investor profiles are linked with products with a suitable risk profile. In other words: the computer system determines – as it were with mathematical certainty – which products are suitable for the client. The investment advisor or portfolio manager can only choose from the range of products which the computer system has selected for each individual client.
B.
Benefits of systematization
17. Overview. Systematization – often through the use of computer models – greatly
reduces the need for human intervention in ensuring compliance with the law. Cold as this may seem, such an approach has some undeniable benefits. First and foremost, systematization usually considerably increases efficiency. Moreover, it greatly reduces the chance of individual human errors.
1. Increased efficiency 18. Efficiency. The above examples clearly illustrate that systematization of formerly manual
processes speeds up the process of complying with the law. Recent legislation seems to go one step further and even (at least implicitly) imposes such efficiency. The new Deposit Guarantee Directive 2014/49/EU, which replaces the former Directive 1994/19/EC, has further harmonized different aspects of deposit guarantee in the EU. It has, amongst other things, reduced the maximum payout period of EU deposit guarantee funds to an extreme extent. After the competent administrative authority or a judicial authority has confirmed the unavailability of a deposit that is due and payable, the deposit guarantee fund should now pay out depositors of the credit institution involved
client’s best interest. (ESMA, ‘Guidelines on certain aspects of the MiFID suitability requirement’, ESMA/2012/387, 27, guideline 1, para 13). 37 It is worth asking if and to what extent this terminology is in itself already misleading or at least loaded: the terms dynamic and defensive are not neutral and descriptive, but have a positive (dynamic) or negative (defensive) connotation. On this issue, see (in Dutch) Veerle Colaert, De rechtsverhouding financiële dienstverlener – belegger (Die Keure 2011) 490, nr. 1098.
12
within 7 working days.38 This is an extremely short period if one considers the series of actions that must be taken during this period39: -
The deposit guarantee fund should request the necessary information on depositors and their deposits from the defaulting credit institution.
-
The credit institution should assemble this information and provide it to the deposit guarantee fund.
-
On the basis of the information received from the credit institution, the deposit guarantee fund has to determine the right to payout for each depositor.
-
The deposit guarantee fund has to proceed to payout.
The sting for credit institutions and the link with the theme of this paper is in article 8(6) of the Directive, which requires the credit institution to transmit the necessary information on deposits and depositors “as soon as requested by the deposit guarantee scheme.” Since the deposit guarantee scheme needs this information in order to proceed to payout, the credit institution should be able to deliver this information within not more than a couple of days. The necessary data should therefore be readily available to the credit institution.40 Indeed, in order to be able to transfer information usable for the deposit guarantee fund upon simple request, credit institutions will have to invest in systems which enable them to generate the necessary information with a press of a button.41 Although the Directive on deposit guarantee schemes does not breathe a word on the manner in which credit institutions have to comply with their obligation to deliver the necessary information “as soon as requested by the deposit guarantee scheme”, investments in thorough systematization seem to be the only adequate answer. 2. Reduced risk of individual errors 19. Reduced liability risk. Less human intervention also reduces the likelihood of human
errors and negligence which are often the cause of non-compliance with the law. Systems guarantee that the law is complied with in a more systematic manner and reduce the chance
38
Art. 8 (2) jo 2 (8) and 3 (2) of MiFID II Directive 2014/49/EU. See Veerle Colaert, ‘Deposit Guarantee Schemes in Europe: Is the Banking Union in need of a third pillar’ (2015) 12 ECFR. 40 The deposit guarantee fund provides a coverage level of 100,000 EUR per depositor (not per deposit). In order to determine the rights of a depositor, it is not only necessary to add up the amounts in his personal savings, current and other relevant accounts, but also to determine his share in joint accounts. In addition, there can be other reasons why a depositor’s rights to a certain account are not entirely straightforward, for example because the credit institution has a right of set-off (see article 7 (5) of Deposit Guarantee Directive 2014/49/EU) or because of a pledge on account for the benefit of the credit institution or other creditors. 41 The Joint Research Centre has calculated the costs for credit institutions to build all necessary IT systems, including “electronic eligible account flagging”, and a “data cleansing system” allowing to create a “single customer view. See European Commission, Joint Research Centre, Report under article 12 of Directive 94/19/EC as amended by Directive 2009/14/EC (2010) 5 < http://ec.europa.eu/internal_market/bank/docs/guarantee/jrc-rep_en.pdf> and Ernst and Young, Fast payout study – final report (November 2008) 2 and 8. 39
13
of errors.42 For financial institutions this evidently also means a reduced risk of civil liability and administrative or criminal sanctions. 20. Guarantee of minimum quality. If the rules which are applied in a systemized manner
aim at protecting customers, they of course reap the benefits of systematic compliance. The systematized compliance with the MiFID know-your-customer requirements (nr. 0) exemplifies this. Whereas in the past the selection of suitable products for a specific client depended on the personal assessment of an individual investment advisor, such selection process is now managed centrally. The system preselects a number of products suitable for each investor profile. On the basis of the answers to the standardized questionnaire, the system classifies the investor in a certain investor profile. The investment advisor should than advise a product from the centrally predetermined selection linked to the particular investor profile of the client. In so far as the system is correct and is followed meticulously, only a malicious disregard for the results can than still give rise to unsuitable advise. In this manner, the system offers the client a minimum quality guarantee.
C.
Disadvantages of systematization
21. Overview. Although the advantages of systematization are undeniable, its disadvantages
are also considerable. First and foremost, errors in the system automatically have much farther-reaching consequences than non-compliance with the rules by a bank employee in an individual case. Secondly, building these systems and keeping them up to date carries enormous costs. Finally, the dehumanization which goes hand in hand with systematization may have undesirable side-effects. Each of these disadvantages as well as some proposals for remedial action are developed in more detail below.
1. Inaccurate systems lead to systematic errors a. Problem 22. Error in the system – operational risk. The phrase “in so far as the system is correct”
used above (nr. 20) indicates the most important weakness of systematization. An error in the system creates problems on a much wider scale than would have been the case in the absence of a system.43 In other words, systematization involves an operational risk that cannot be ignored.44 42
Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk 15, nr. 51 (June 2011). 43 See the express acknowledgement of this problem in the Basel II standards: “The substantial impact that errors in the methodology or assumptions of formal analyses can have on resulting capital requirements requires a detailed review by supervisors of each bank’s internal analysis.” (Basel Committee on Banking Supervision, International Convergence of Capital Measurement and Capital Standards: A Revised Framework – Comprehensive Version (30 June 2006) 209, nr. 747). Also Basel Committee on Banking Supervision, Framework for internal control systems in banking organisations (September 1998) 18, principle 8, nr. 31 “Management decision-making could be adversely affected by unreliable or misleading information provided by systems that are poorly designed and controlled”. 44 “Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk” (Basel Committee on Banking Supervision, International Convergence of Capital Measurement and Capital
14
23. Example – rating agencies. The role played by rating agencies in the run-up to the crisis
is a telling example of this problem. Rating agencies used computer models to determine a rating on the basis of a number of data. It however turned out very difficult to build systems and models sophisticated enough to take into account all relevant factors, in particular very unlikely eventualities.45 Research into the course of the crisis has brought to light that rating agencies based their ratings on flawed and outdated models and that this resulted in erroneous ratings. And even after flaws in the model had been discovered, certain rating agencies continued to use them. Even if the model was adapted, ratings that had been based on the flawed model were often not recalculated.46 After all, adapting ratings that had already been made public on account of an error or imperfection in the system, would damage the rating agency’s reputation. Moreover, the company who had requested the rating – and paid the rating agency – would be displeased if the correction resulted in a downgrade of his rating. That such corrections would not generate new revenues did not stimulate the rating agencies to spontaneously correct their mistakes either.47 The problems detected with respect to rating agencies’ models can occur in most systems. In the context of compliance with anti-money laundering legislation (supra nr. 10), an insufficiently sophisticated system of transaction monitoring can lead to systematic nonreporting of suspicious transactions.48 A parallel can also be drawn with the automated compliance system for MiFID know-your-customer obligations (see supra nr. 0). An error in the system may lead to erroneous investment profiles for an entire group of clients, which as a result may be advised to consistently opt for investments that are riskier than actually suitable for them. There is a considerable risk that, out of fear for claims for damages and reputation damage, the bank would in such circumstances hesitate to rectify past mistakes caused by the system or to notify the client of the problem, and limit itself to revising the profile for future use.
Standards: A Revised Framework – Comprehensive Version (June, 30 2006) 144, nr. 644). See also Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk (June 2011) 3, para 10: “Operational risk is inherent in all banking products, activities, processes and systems, and the effective management of operational risk has always been a fundamental element of a bank’s risk management programme”. 45 European Commission, ‘Staff Working Document accompanying the Proposal for a Regulation of the European Parliament and the Council on Rating Agencies – Impact Assessment’ SEC(2008)2745, 17-20. 46 See Financial Crisis Inquiry Commission, Final Report of the National Commission on the Causes of the Financial and Economic Crisis in the United States (January 2011) 126: “Moody’s, the Commission’s case study in this area, relied on flawed and outdated models to issue erroneous ratings on mortgage-related securities, failed to perform meaningful due diligence on the assets underlying the securities, and continued to rely on those models even after it became obvious that the models were wrong.” See also European Commission, ‘Staff Working Document accompanying the Proposal for a Regulation of the European Parliament and the Council on Rating Agencies – Impact Assessment’ SEC(2008)2745, 17-20. 47 John C. Coffee Jr., The role and impact of credit rating agencies on the subprime credit markets (Testimony before the Senate Banking Committee, 26 September 2007) 5. 48 For a concrete example, see footnote 30.
15
b. Remedial action 24. Overview. In order to avoid systematic errors, it is crucial that the system is correct and
nuanced, taking into account a sufficiently broad range of variables. The question arises how this quality standard can be attained. Although there are already rules with respect to internal risk control in general and with respect to automated processes in particular, these rules are rather high level and do not concentrate on the specific risks of systematization as a means of complying with the law. A thorough study of recent financial regulation however reveals that with respect to very specific subject matters, specific rules have been developed to limit the risks involved in systematization. In what follows, we present an outline of an encompassing, effective “system auditing scheme”, the key elements of which have been inspired by those very specific rules. 25. General – internal control functions. Many guidelines provide a framework for risk
management in general, which feature “three lines of defense” against the risks occurring when operating a financial institution.49 Operational management (front office, any client facing activity) has to ensure the first line and is responsible for the identification, assessment and mitigation of risks which a bank runs when performing its activities. The second line, the risk management function, facilitates and monitors the implementation of effective risk management practices by operational management. The compliance function is an important component of the risk management function50, and should limit the specific risk of non-compliance with laws and regulations (see also supra nr. 12). The third line is the internal audit function, which provides an independent assurance to the board of directors and senior management on the quality and effectiveness of a bank’s internal control, risk management and governance systems and processes.51 These internal control functions obviously also play a crucial role in the limitation of risks related to systematization as a compliance technique. In what follows, we will focus on these risks specifically. 26. General – automated processes. In the banking sector, the use of IT systems in general is
governed by risk management principles.52 The internal audit function should verify, in particular, the integrity of the processes and ensure the reliability of the methods and techniques, assumptions and sources of information used in the internal models of the credit institution.53 The elements indicated below can serve to refine the manner in which such controls are conducted, specifically when systems are used for compliance purposes. 49
Basel Committee on Banking Supervision, Guidelines - Corporate governance principles for banks (July 2015) 5, para 13. 50 Ibid. 31, principle 9. 51 Basel Committee on Banking Supervision, The internal audit function in banks (June 2012) principle 1 para 10 and 12, principle 13, para 60 and following; Basel Committee on Banking Supervision, Guidelines - Corporate governance principles for banks (July 2015) 32, principle 10; EBA (n 21) 37. 52 See Basel Committee on Banking Supervision, Framework for internal control systems in banking organisations (September 1998) 18, principle 8. 53 EBA (n 21) 38-40 and 44, para 29.4. See also Basel Committee on Banking Supervision, Framework for internal control systems in banking organisations (September 1998) 18, principle 8.
16
27. Optimal system development – interdisciplinary cooperation. First and foremost, it is
important that systems optimally implement the desired result. This requires intensive cooperation between specialized legal advisors, economists and IT-experts. 28. Intra-system consistency tests. While building a system intra-system controls should be
created that immediately bring to light any discrepancies in the system or its output. Today, such intra-system controls are already recommended for MiFID know-your-customer systems (supra nr. 0). If financial institutions use such systems (such as on-line questionnaires, or risk-profiling software), they should ensure that they have appropriate controls to ensure that the tools are fit for purpose and produce satisfactory results. For example, risk-profiling software could include coherence controls of the replies provided by clients in order to reveal contradictions between different pieces of collected information.54 29. Periodic systems test. After its implementation, the system has to be fine-tuned
continuously to take account of market evolutions, the development of new products or new insights. A periodic control – for instance annually – should be combined with ad hoc controls that lead to adjustments when an error or discrepancy is discovered, when the law is amended or when new insights or technologies make it possible to fine-tune or improve the system.55 An instance of this principle has been introduced in the latest version of the Credit Rating Agencies Regulation. In view of the irregularities detected with credit rating agencies’ models during the crisis (see supra nr. 23), the use of such systems and models has been heavily regulated. The regulation requires rating agencies to only use rating methodologies that are rigorous, systematic, continuous and subject to validation based on historical experience, including back-testing.56 They should further monitor their credit ratings and review their ratings and methodologies on an ongoing basis and at least annually, in particular where material changes occur that could have an impact on a credit rating. Where rating methodologies, models or key rating assumptions used in credit rating activities are changed, or when a rating agency becomes aware of errors in its rating methodologies or in their application, it should review the affected credit ratings as soon as possible and no later than six months after the change or the detection of the error, in the meantime placing those ratings under observation. It should re-rate all credit ratings that have been based on those methodologies, models or key rating assumptions.57 30. Human check of the result of the system. Furthermore, it is important that the outcome
provided by the system is not taken for gospel truth, but considered with a critical mind. Certain legislation already explicitly requires that the result of an automated procedure is subjected to a human check.
54
ESMA, ‘Guidelines on certain aspects of the MiFID suitability requirement’, ESMA/2012/387, 33, para 44 and 58. 55 Compare with Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk (June 2011) 5, para 20: “Because operational risk management is evolving and the business environment is constantly changing, management should ensure that the Framework’s policies, processes and systems remain sufficiently robust”. On “sound technology risk management”, see specifically p. 15, para 52-53. 56 See art. 8 (3) of Regulation (EC) No 1060/2009. 57 See art. 8 (5), (6) and (7) of Regulation (EC) No 1060/2009.
17
The oldest example can undoubtedly be found in privacy legislation, which grants every person the right not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc.58 For the financial sector this is important with regard to the assessment of the creditworthiness of customers by means of automated credit-scoring mechanisms, which are used to determine whether and on which conditions a person can be granted credit (see supra nr. 0). Under Consumer Credit Directive 2008/48/EC those automated credit-scoring mechanisms are also a compliance tool in respect of the responsible lending obligation: before the conclusion of the credit agreement, the creditor should assess the consumer's creditworthiness on the basis of sufficient information, where appropriate obtained from the consumer and, where necessary, on the basis of a consultation of the relevant database (art. 8 Consumer Credit Directive), implying that the credit should not be granted if there is a significant chance that the consumer would not be able to pay it back in accordance with the terms and conditions. The abovementioned privacy legislation should ensure that a consumer is not denied a credit solely on the basis of an automated credit scoring system. If the credit application is rejected on the basis of consultation of a database, the creditor shall inform the consumer immediately and without charge of the result of such consultation and of the particulars of the database consulted (art. 9 (2) Consumer Credit Directive). Since the introduction of the Basel II norms, a human check of the outcome of the system is also required with regard to compliance with the minimum capital requirements for credit institutions. These minimum capital requirements are in a first stage calculated on the basis of quantitative minimum standards, imposed by the Basel standards. Compliance with these quantitative standards is facilitated by computer systems.59 The management however bears responsibility for ensuring that the bank has adequate capital to support its risks.60 This requires, among other things, a qualitative assessment of whether the quantitative minimum capital requirements indeed suffice in function of the specific risk profile of the bank. If necessary, management should decide to maintain a higher level of capital. Internal audit should review management’s process for stress testing its capital levels and the reliability of the processes used.61 31. System audit by the supervisor. As mentioned above (nr. 8), the principal task of the supervisor should be to examine whether the organization and systems of financial institutions suffice with a view to optimal compliance with the law. The supervisor should therefore assess whether financial institutions’ systems are effective and robust.
58
Article 15 of Data Protection Directive 95/46/EC; European Commission, ‘Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’, COM(2012) 11 final, art. 20. 59 See footnote 72. 60 In the context of the so-called “Supervisory Review Process” the management of the bank is therefore given the responsibility of developing an internal “capital assessment process” and setting capital targets that are commensurate with the bank’s risk profile and control environment. See Basel Committee on Banking Supervision, International Convergence of Capital Measurement and Capital Standards: A Revised Framework – Comprehensive Version (June 30, 2006) 204, nr 720-721. 61 Basel Committee on Banking Supervision, The internal audit function in banks (December 2011) 8, para 33.
18
This obviously does not mean that the supervisor guarantees that a system in which no errors were detected is free from errors. The responsibility for compliance with the law and the development of good compliance systems remains with the financial institution. Supervisory control should nevertheless endeavor to improve compliance systems on the basis of the knowledge and experience which the supervisor has acquired through assessments of other financial institutions’ systems.62 When assessing financial institutions’ systems and processes, the supervisor can receive valuable help from within: supervisory authorities have an interest in engaging in a constructive and formalized dialogue with the internal audit function. This dialogue could be a valuable source of information on the quality of the internal control system. Supervisors should therefore have regular communication with the bank’s internal auditors to discuss the risk areas identified by both parties, understand the risk mitigation measures taken by the bank, and monitor the bank’s response to weaknesses identified.63 In addition, supervisors can reinforce their expertise by appealing to external auditors.64 In the Basel capital standards, a system audit by the supervisor has been explicitly included in the “Supervisory Review Process”. Supervisors should review and evaluate banks’ internal capital adequacy assessments and strategies and evaluate the degree to which a bank has in place a sound internal process to assess capital adequacy.65 Particularly interesting in view of one of the problems with rating agencies’ models during the crisis (see supra nr. 23), is that during the supervisory review process: “[s]upervisors should also consider the extent to which the bank has provided for unexpected events in setting its capital levels”.66 32. Transparency of the system. Finally, it is important that compliance systems are
maximally transparent, at three different levels. In the first place, the system should be internally transparent. This means that the manner in which a system is built, should be meticulously documented. Detailed manuals should be drawn up for each system. This is of crucial importance to guarantee a lasting understanding of the system. Such internal transparency should elucidate the limits of the system, the premises on which it is built, and, if the case may be, any factors which have not been taken into account. Internal transparency should further guarantee that changes can be made to
62
Compare Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk (June 2011) 2, para 9: “Supervisors continue to take an active role in encouraging ongoing internal development efforts by monitoring and evaluating a bank’s recent improvements and plans for prospective developments. These efforts can then be compared with those of other banks to provide the bank with useful feedback on the status of its own work.” 63 Basel Committee on Banking Supervision, The internal audit function in banks (June 2012) 15, principle 16. 64 Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk (June 2011) 2, para 7. 65 With regard to this issue, the Basel II standards were not modified by Basel III: Basel Committee on Banking Supervision, International Convergence of Capital Measurement and Capital Standards: A Revised Framework – Comprehensive Version (June 2006) 209-210: “Supervisors should assess the degree to which internal targets and processes incorporate the full range of material risks faced by the bank. … Supervisors should review the bank’s processes to determine that: • Target levels of capital chosen are comprehensive and relevant to the current operating environment; • These levels are properly monitored and reviewed by senior management; and • The composition of capital is appropriate for the nature and scale of the bank’s business”. 66 Ibid. 210, nr 750
19
complex systems at a later stage, even when the original developers of the system are no longer employed at the financial institution. At a second level, compliance systems should be made transparent to the supervisor, in order to facilitate system control and allow detection of best practices by the supervisor (see infra nr. 39). At a third level, the question arises to what degree transparency towards the market should be imposed. The Credit Rating Agencies Regulation (EU) n° 2009/1060 requires extensive transparency towards the market with regard to the models used by rating agencies and any subsequent changes to these models.67 Such transparency can of course not guarantee that systems are free from errors, but it does allow the market to keep an eye on the accuracy of a model and thus allows for “market discipline”. The question whether it is appropriate to require such system transparency for all compliance systems can, in my view, not be answered in general. For each system, it would be necessary (i) to establish to what extent market discipline could indeed contribute to an improvement of the system and (ii) to assess what the negative side effects of full transparency could be. There are two negative effects conceivable. The development of well-functioning systems is very costly. It can therefore be expected that there would be some resistance against making public such hard-earned expertise. The consequence of such a requirement could, at least in theory, even hamper implementation of new legislation. Each financial institution would have an incentive to postpone implementation efforts for as long as possible, trying to save costs and take advantage of the information on competitors’ new systems. This problem should however not be overestimated. Large, self-respecting institutions would doubtlessly continue to develop their own systems and would not have their compliance with the law depend on the blueprint of non-corroborated systems built by competitors. A second negative side effect of publicly available information on compliance systems could be a shift in responsibility toward the customer. Indeed, if the functioning of a system would be made transparent to the market, it could be argued that the customer, too, had the opportunity to inform himself on any limitations or shortcomings of such system. If he would nevertheless decide to deal with that financial institution, this could be qualified as an “informed” decision for which the customer would bear the responsibility. Such a shift in responsibility is not desirable in most cases and is indeed farfetched vis-à-vis average retail investors. 2. Costs a. Problem 33. Costs. One could assume small financial institutions would benefit from systematization,
as it would enable them to comply with financial regulation with a more limited number of employees. However, smaller institutions are confronted with a quasi-prohibitive competitive disadvantage when it comes to building systems. Building and maintaining 67
See article 8 (1) and (5a) and recital 25 of Regulation (EC) No 1060/2009.
20
adequate systems is extremely expensive. Proper tailor-made IT-systems are therefore often disproportionately expensive for smaller financial institutions. 34. Tendency towards increased scale? The development of properly functioning systems
therefore again requires scale.68 In other words, systematization does not seem to solve the problem that smaller financial institutions are in danger of being regulated out of the market (supra nr. 11). The question arises whether there is an answer to the compliance challenge allowing smaller financial institutions to facilitate compliance by means of systematization.
b. Remedial action 35. Overview. There are, in my view, two possible solutions. First the supervisor could
develop certain systems. A less radical option would be for the supervisor to detect a number of best practices and make them public. Both these options are explored below. i. Systems developed by the supervisor 36. Systems developed by the supervisor? A first possibility could be that the supervisor
develops systems facilitating compliance with the law. With regard to a number of rules and systems this would indeed be possible and feasible. To facilitate compliance with the MiFID know-your-customer requirements (supra nr. 0) the introduction of standardized investment profiles (number of profiles, their names and main characteristics) would in my opinion, for example, be useful. It would curtail the proliferation of names for these profiles and allow for increased comparability between the profiles of different financial institutions. This option is currently not considered by EU supervisors. In contrast, the classification of products into certain risk categories has been standardized in several EU Member States.69 Financial institutions are often however reluctant to replace their internal risk classification systems with the legal system, claiming that it is less adequate.70 68
Nevertheless, increased scale will eventually cease to result in economies of scale. At a certain point, the size of the financial institution may entail such complexity that the costs for the development and maintenance of systems – which have to take into account an enormous multitude of eventualities – soar. 69 Including Portugal, the Netherlands and Belgium. 70 In Belgium for example the royal decree of 25 April 2014 introduced an obligation to classify products into risk categories that correspond to a standardized risk label (article 4 §2, 8° of the so-called transversal Royal Decree of 25 April 2014, and the FSMA Regulation of 3 April 2014 concerning the technical requirements of the risk label). The system was however heavily critiqued. See for example the advice of the Consumer Council (‘Raad voor het Verbruik’) of 20 March 2014, RVV – 471, p. 50: “The subdivision … is disadvantageous for funds vis-à-vis individual bonds, although funds involve less risk because it diversifies risk. The use of derivatives is also heavily discouraged. One single government bond with a rating up to ‘A’ would receive an ‘A label’. A fund that exclusively invests in AAA government bonds receives ‘label C’. If a fund invests 50% of more in derivatives, the fund is classified in the lowest category ‘E’. In this manner, many capital guaranteed funds would end up in this lowest category.” (free translation from Dutch). The royal decree was further critiqued in view of the fact that it runs ahead of the PRIIPs Regulation, which will introduce a similar risk classification system at EU level (Regulation (EU) No 1286/2014 of the European Parliament and of the Council of 26 November 2014 on key information documents for packaged retail and insurance-based investment products (PRIIPs) [2014] OJ L 352/1; see also the different options explored: Joint Committee of the European Supervisory Authorities JC/DP/2014/02, “Discussion Paper - Key Information Documents for Packaged Retail and Insurance-based Investment Products (PRIIPs)” (17 November 2014) 3647). The Belgian legislator therefore finally decided to postpone this part of the royal decree.
21
It should indeed be acknowledged that standardized systems come with significant disadvantages. 37. Disadvantage 1 – restrains innovation. The traditional argument against standardization
is that it curtails incentives for innovation. If each financial institution develops its own system, more expertise is put to work which increases the odds of innovative systems being built.71 This is said to stimulate competition which should, in turn, result in better systems. 38. Disadvantage 2 – systemic risk. Moreover, it cannot be ruled out that a suboptimal
system is proclaimed as the standard. The use of one single uniform system indeed implies an important risk: the consequences of a flawed system imposed by the supervisor will be much further-reaching than an erroneous system developed and used by a single financial institution. When the system is imposed by the supervisor, criticism by the internal control functions will moreover easily be brushed off as irrelevant. This can undermine the critical attitude of these control functions. The systemic risk associated with standardization became apparent during the crisis. If a credit institution did not choose for the so-called “internal rating based approach” for the calculation of minimum capital requirements, the Basel II standards imposed a “standardized approach” .72 During the crisis however, the minimum capital requirements that resulted from this standardized calculation model turned out to be largely insufficient. Apart from the more general criticism that the capital requirements were simply too low,73 part of the 71
Compare with the literature on regulatory competition, where the same argument is used against standardization (in this case: harmonization): for example Simon Deakin, ‘Legal diversity and regulatory competition: which model for Europe’ (2006) 12 ELJ, 440, 444: “It is only on the basis of diversity that a wide range of potential solutions to common regulatory problems can emerge. One implication of this point of view is that to intervene with the aim of institutionalizing a single “best” solution, through harmonization, would be misguided.” 72 In accordance with the Basel criteria, banks should at all times maintain a solvency ratio (capital/assets ratio) of 8% to cover credit risk (Basel Committee on Banking supervision, International Convergence of Capital Measurement and Capital Standards: A Revised Framework – Comprehensive Version (June 2006) 2 nr. 5 and 12 nr. 40. This ratio has been raised with a number of additional capital buffers since Basel III (capital conservation buffer and countercyclical buffer) which have to ensure that the actual solvency ratio is higher (Basel Committee on Banking supervision, A global regulatory framework for more resilient banks and banking systems – revised version (June 2011) 54-60. However, not all assets are fully taken into account for the calculation of this ratio. The solvency ratio is calculated on the basis of the total risk weighted assets. Each asset is therefore subject to a risk weighing system which determines what percentage of its value should be taken into account. Banks have the choice between two risk weighing methods: (i) a standardized approach which uses external ratings to determine the risk weight of assets and which is the default method, or (ii) an approach based on an internally developed risk weighing system (“internal rating based” or “IRB” approach) which can only be applied if requested and approved by the supervisor. The external rates which are used in the standardized approach are issued by rating agencies. If an asset has not been rated its risk weight is set at 100%. 73 Prominent economists plead for much higher ratios. See, for example, Anat Admati and Martin Hellwig, The Banker’s new Clothes. What’s wrong with banking and what to do about it (Princeton University Press 2013). On top of the solvency ratio Basel III standards introduced an additional “leverage ratio” as a “backstop”, i.e. a ratio between capital and non-risk-weighted assets of 3% (Basel Committee on Banking Supervision, Basel III leverage ratio framework and disclosure requirements (January 2014). ADMATI is a proponent of a leverage ratio of 20 to 30%, which would approximate the ratios typical of non-banking firms. See Anat Admati and others, ‘Fallacies, Irrelevant Facts and Myths in the Discussion of Capital Regulation: Why Bank Equity is Not Socially Expensive’ (2013) Stanford Working Paper N°2065
accessed 25 May 2015. 74 Because erroneous or out-of date models were used (see nr. 23), but also because of the conflict of interests that is inherent to the rating industry in which the rating agency is paid by the entity which it assesses. See Financial Crisis Inquiry Commission, Final Report of the National Commission on the Causes of the Financial and Economic Crisis in the United States (January 2011) 240; European Commission, ‘Staff Working Document accompanying the Proposal for a Regulation of the European Parliament and the Council on Rating Agencies – Impact Assessment’ SEC(2008)2745, 14-17. 75 In accordance with the standardized approach (see footnote 72), for assets with a higher rating only a smaller percentage should be taken into account for the calculation of the capital/assets ratio than for (riskier) assets with a lower rating. The total of the so-called risk-weighted assets will consequently be lower if the ratings of the assets are higher (for the same nominal amount of non-risk weighted assets). Since capital requirements are expressed as a percentage of the risk-weighted assets, higher ratings result in a lower capital requirement. The alternative, the internal rating based approach, for which banks develop their own risk weighting system, however turned out to be equally inadequate: the models did not take sufficient account of extreme circumstances, and the supervisors were not sufficiently capable of assessing the robustness of the IRB models. On this issue, see, for example, Jeffery Atik, ‘Basel II. A Post-crisis post mortem’ (2011) 19 Transnational Law & Contemporary Problems 749: “The national regulator verified the presence of such internally developed risk management systems, but did not verify their effectiveness, which was regarded as technically beyond the pale”. 76 See article 77 CRD Directive 2013/36/EU, where the European legislator goes beyond than the requirements of the Basel standards.
23
Large financial institutions would play a crucial role in the development of compliance systems, while smaller financial institutions would be able to develop their systems, drawing from the published good practices. In the context of MiFID know-your-customer requirements, best practices with respect to questionnaires for the determination of investor profiles would for instance be extremely useful.77 40. Best practices by the sector. An alternative is that professional organizations instead of
the supervisor fulfill this role and publish best practices, such as the successful ISDA (International Swaps and Derivatives Association) standardization of master agreements for OTC derivatives. However, the willingness of market participants to cooperate to that end will usually depend on the economic benefit they may derive from such project. 3. Dehumanization a. Problem 41. Systematization decreases commitment. A final problem of systematization is that is
goes hand in hand with ‘dehumanization’. Human intervention is increasingly considered a liability and eliminated. Systematization on the other hand reduces the risk of human errors and entailing liability. However, people remain an indispensable link in a sector that is in essence a services sector. One of the challenges of systematization is that employees who have to work with an automated system can lose motivation or commitment. The organization of compliance with the MiFID know-your-customer obligations can again serve as an illustration. Bank employees who determine customers’ investment profiles and give investment advice may get the feeling that their personal competences no longer matter in this process. Whereas they used to give investment advice on the basis of personal knowledge of the client and expertise concerning investment products, today the system provides a suitable match between the customer and a limited range of products. This may lower the level of motivation and diminish the commitment employees are willing to devote to their job. It can even lead to a box-ticking mentality: if compliance with the law is perceived as a matter of following the system, individual employees may no longer be imbued with the fundamental principles of due care towards customers, which yet are the basis and finality of the MiFID know-your-customer rules. 42. The system as a disclaimer. Another danger is that bank employees – assuming that it is
the only way left to still offer added value in the MiFID know-your-customer process – help clients in answering questionnaires. If such assistance is limited to the provision of some background information on difficult questions or explaining the exact meaning of alternative answers, this should not be problematic and could indeed improve the process. However, such assistance can easily lead to practices that threaten the proper functioning of the system. The bank employee may, for example, point out that if the customer chooses a particular answer, he will not have access to potentially interesting products. The customer may then be inclined to answer that question incorrectly, for example by indicating that he is 77
The Belgian supervisor has been given this competence in article 30bis of the Act of 2 August 2002 (as amended in 2013), but has, so far, not yet implemented it.
24
familiar with a certain product when he is not. The bank employee may take his assisting role even further and fill out the questionnaire himself by way of “service” to the client, who often experiences these questionnaires as an administrative burden.78 The customer signs the questionnaire and then trusts that it will be filled out in his interest by the bank employee.79 If a questionnaire has been filled out in this manner – with the customer’s agreement and signature – the consequences are far-reaching. If the customer afterwards suffers losses that are greater than he was able or willing to bear, it will prove most difficult for him to hold the bank liable on account of erroneous advice. The answers filled out by the bank employee may have led to a profile that allowed for investments in those products. The system which functions correctly, but was applied wrongly, will then testify against the customer. The objective of the “know-your-customer” rules – investor protection – is in such situation far from achieved. b. Remedial action 43. Continued investment in people. What we must conclude from the above is that systems
alone can never be the ultimate solution to the compliance challenge. Systematization should go hand in hand with education. Education should go beyond ensuring that all users of the system have knowledge of the rules. As important is that employees are imbued with the values that are at the basis of more detailed rules. Concrete operational instructions are also of crucial importance80 in order to help the employee in understanding how both the system and the client should be dealt with. 44. Systematized support of a correct corporate culture. In addition, the notion of
“corporate culture” – although more difficult to grasp – plays a role that should not be ignored.81 Compliance with rules should be embedded in a corporate culture that aims at “good compliance, not mere compliance”.82 The corporate culture of a financial institution 78
The first ESMA guideline nevertheless requires that investment firms should inform clients, clearly and simply, that the reason for assessing suitability is to enable the firm to act in the client’s best interests (ESMA, ‘Guidelines on certain aspects of the MiFID suitability requirement’, ESMA/2012/387, 5, para 13). 79 To facilitate the detection of such practices, national supervisors are increasingly allowed to engage in “mystery shopping”, which involves a representative of the supervisor acting as a client of a financial institution in order to check whether the financial institutions complies with the applicable rules. 80 Compare with Basel Committee on Banking Supervision, Guidelines. Corporate governance principles for banks (July 2015) 31, principle 9, para 135, referring to “practice guidelines”. 81 Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk (June 2011) 7, para 21: “Banks with a strong culture of risk management and ethical business practices are less likely to experience potentially damaging operational risk events and are better placed to deal effectively with those events that do occur.” See also the earlier Basel Committee on Banking Supervision, Framework for internal control systems in banking organisations (September 1998) 12, principle 3. 82 Title of the contribution of Daniel K. Tarullo at the Federal Reserve Bank of New York Conference: Daniel K. Tarullo, ‘Good compliance, not mere compliance’ (Federal Reserve Bank of New York Conference ‘Reforming Culture and Behavior in the Financial Services Industry’, New York, 20 October 2014) < http://www.federalreserve.gov/newsevents/speech/tartullo20141020a.pdf>. See also Basel Committee on Banking Supervision, Consultative Document – Guidelines. Corporate governance principles for banks (October 2014) 28, para 132: “Compliance starts at the top. It will be most effective in a corporate culture that emphasizes standards of honesty and integrity and in which the board of directors and senior management lead by example. It concerns everyone within the bank and should be viewed as an integral
25
should not merely aim at strict observance of legal rules “as such”, but should strive for deeper compliance and even internalization of the objectives that underpin the law.83 Corporate culture can in turn be supported by systems to detect non-compliance risk.84 Enterprises could for example develop a score for behavioral risk similar to the credit scoring mechanisms described above. One could also envisage setting up extra compliance monitoring for products that prove very successful or that generate extraordinary revenues.85 The identification of more legal risk-prone business lines or products can thus be systematized.
D. Perspectives: Customer Relationship Management (CRM) 1. Customer Relationship Management (CRM) 45. New possibilities. Systematization as a compliance technique also offers new
opportunities, notably in the relation between financial institutions and their customers. As shown above, the relationship between financial institutions and their customers is increasingly systematized, partly in order to facilitate compliance with complex financial regulation in this domain. An additional benefit for financial institutions is that these systems could facilitate the use of techniques of Customer Relationship Management (CRM), which offer significant marketing opportunities. 46. Customer Relationship management (CRM). CRM is described as “the opportunity to
contact the right customer at the right time through the right marketing medium”86 or “the strategic use of information, processes, technology, and people to manage the customer’s
part of the bank’s business activities. A bank … should at all times strive to observe the spirit as well as the letter of the law.” The final guidelines reiterate the similar principles: Basel Committee on Banking Supervision, Guidelines - Corporate governance principles for banks (July 2015) 9-10, nrs 29-32. These guidelines further recommend the introduction of an “ethics and compliance committee within the board of directors, which should ensure that the bank has the appropriate means for promoting proper decision-making, due consideration of the risks to the bank’s reputation, and compliance with laws, regulations and internal rule” (ibid, 18 nr. 77). 83 See the contribution of Daniel K. Tarullo (n 82) 5: “Are compliance programs put in place by risk managers or general counsels understood as a kind of background noise that should not drown out voices urging employees to “make their numbers”, or are they seen as reflecting the views and priorities of senior management. … Do employees understand their job to be maximizing revenues in any way possible as long as they do not do anything illegal or do they understand their job to be maximizing revenues in a manner consistent with a broader set of considerations? In the former case, the message is that the law is a constraint to be observed, but that the purposes or values that underlie it have no additional importance for determining corporate activity.” 84 Ibid 6. See also Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk (June 2011) 7, para 21. 85 In his contribution Tarullo (n 82) refers to proposals along these lines made in Thomas F. Huertas, Safe to fail (Palgrave Macmillan 2014) 158-159; see also Basel Committee on Banking Supervision, Compliance and the compliance function in banks (April 2005) 14, para 38. 86 Scott A. Neslin and others, Overcoming the “recency trap” in customer relationship management (2013) 41 J. of the Acad. Mark. Sci 320.
26
relationship with your company”.87 The CRM logic is said to encourage firms to move away from a product-focused toward a more customer-focused approach of doing business.88 In the context of internet sales, CRM implies, among other things, that the seller of a product uses the system to track what the client does and does not buy, when he or she does this, and even which products he or she looks at or does not look at. Through data mining89, patterns can be distilled from this information flow. The result may be that the seller ends up knowing the customer better than the customer knows himself. This knowledge is used to address personalized advertising to the client. 47. CRM and data mining in the financial sector. In most sectors, firms need to make
considerable investments in systems that allow to collect and process such client data. In the financial sector, however, many of these data are requested and processed for compliance purposes (e.g. MiFID know-your-customer obligations or consumer credit responsible lending requirements). Using these data for CRM purposes therefore at first sight requires a smaller investment than in many other sectors. It should not come as a surprise that CRM and data mining are already exploited in the financial sector to send targeted advertisements for financial products to customers. Financial institutions also experiment with new opportunities that CRM may offer. In the Netherlands, for example, ING announced in March 2014 that it would use customers’ payment data to allow firms to individualize advertisements. This initiative was unfavorably received by consumer organizations,90 showing CRM and data mining are, especially in the financial sector, a very sensitive matter. In the financial services sector special vigilance is required also from a strictly legal perspective.
2. Admissibility of the use of client information for CRM purposes 48. Privacy. The question in how far the bank may or even should use data mining
possibilities must first and foremost be answered on the basis of privacy legislation.91 87
For an overview of definitions, including this one, see E.W.T. Ngai and others, Application of data mining techniques in customer relationship management: A literature review and classification (2009) 36 Expert Systems with Applications 2592. 88 Bas HILLEBRAND and others, Exploring CRM effectiveness: an institutional theory perspective (2011) 39 J. of the Acad. Mark. Sci. 595. 89 Described as “the process of extracting or detecting hidden patterns or information from large databases”. For an overview of definitions, see E.W.T. Ngai and others, Application of data mining techniques in customer relationship management: A literature review and classification (2009) 36 Expert Systems with Applications 2593. 90 Martin Gijzemijter, ‘Bank to trial letting companies target ads at customers based on their payment history’ ZDNet (11 March 2014) ; Martin Gijzemijter, ‘Privacy outrage causes bank to ditch plans for targeted ads based on customers' spending habits’ ZDNet (18 March 2014) . 91 See article 1 of Privacy Directive 95/46/EC which provides that Member States should protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data. This Directive will be replaced by a Regulation in due course (see European Commission, ‘Proposal for a regulation of the European Parliament and of the Council on the protection of
27
Personal data can only be collected for specified, explicit and legitimate purposes and should not be further processed in a way incompatible with those purposes.92 Moreover, such data should be adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.93 Furthermore, personal data may only be processed if the data subject has unambiguously given consent or when one of the other explicitly mentioned circumstances apply (e.g. legal obligation, general interest).94 Privacy legislation therefore clearly limits the possibilities to use data collected for purposes of compliance with MiFID or the Consumer Credit Directive, for other objectives, such as CRM. Only if the client would unambiguously agree, his personal data could be used for such other purposes. 49. Conflicts of interests and Chinese walls. Data mining and CRM possibilities are further limited by conflict of interest rules. Credit institutions and investment firms should be organized so as to prevent conflicts of interest from adversely affecting the interests of their clients.95 When a financial institution passes on confidential data about a client to third parties – even with the client’s permission – and receives compensation or another economic benefit in return, a conflict of interests looms. The client permitting such use of his personal data will often not be aware of the consequences: if the financial institution obtains an economic benefit for this information, it may be inclined to sub-optimally represent the client’s interest (e.g. remaining intentionally vague with respect to the persons to whom and reasons for which data can be passed on). It can therefore be argued that the financial institution’s duty of care towards the client and its obligation to prevent conflicts of interests from damaging clients’ interests, forbid the bank from obtaining a direct economic advantage for passing on clients’ private data to third parties. 50. Personalized advertising versus investment advice. CRM techniques in the financial
sector can be used to suggest new products and services to clients on the basis of their previous use of products and services or to send targeted advertisements. When these financial products qualify as financial instruments according to the MiFID definition,96 such CRM techniques must be used with great care. The client risks to perceive these offers or advertisements as personalized investment advice.97 When the offers made to the client do individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)’ COM(2012) 11 final). 92 Art. 6 (1)b of the Data Protection Directive 1995/46/EC; art. 5 b) of the Proposal for a Regulation. 93 Art. 6 (1)c of the Data Protection Directive 1995/46/EC; art. 5 c) of the Proposal for a Regulation. 94 Article 7 a) of the Data Protection Directive 1995/46/EC; art . 6 of the Proposal for a Regulation. Art. 7 of the Proposal provides for the conditions for a valid consent. 95 Article 16 (3) of MiFID II Directive 2014/65/EU. 96 See the list in Annex I.C of MiFID II Directive 2014/65/EU. 97 See the definition of investment advice in art. 4(1) 4° MiFID II Directive 2014/65/EU) and art. 52 of the MiFID I Implementing Directive 2006/73/EC (which will in due course be replaced by a MiFID II implementing directive). Given the many questions about the exact scope of these definitions, CESR (the predecessor of ESMA) developed a fivefold test to determine what is investment advice and what not. 1. Investment advice is a recommendation: apart from information, it also offers an opinion. 2. Investment advice concerns a specific financial instrument (rather than a class of financial instruments, a geographic zone,…) 3. Investment advice is personalized, i.e. it must be represented as suitable for the client or be based on a consideration of his personal circumstances. 4. Investment advice is not provided via “distribution channels” or to the public. This would run counter to the personalized character of investment advice.
28
not dovetail with his MiFID investment profile, they could go against the bank’s duty to provide suitable investment advice and lead to administrative sanctions and civil liability. This problem could be resolved (i) by integrating into the CRM product selection procedure an additional check against the MiFID profile for clients who are potentially targeted by the offer or advertisement and (ii) by regularly testing the CRM profile of a client against his investment profile and, if a deviation is detected, inviting the client to check whether his investment profile still corresponds to his real investment objectives (see nr. 51). 3. CRM and the compliance challenge 51. Correction of the system. With some creativity, these techniques may also offer
opportunities and even inspiration for improved compliance with the law. The example of client questionnaires in an investment advice relationship is again inspiring. By creating a CRM profile for each client, the financial institution gains a good insight of the extent to which the investment profile of a client as determined by the MiFID questionnaire corresponds to his actual purchasing behaviour. This raises the question how the financial institution should proceed if the CRM profile of the client shows that his MiFID profile no longer tallies with his real purchasing behaviour, because the client is, for example, systematically taking more or less risks than is acceptable according to his MiFID profile.98 On the basis of current legislation, the financial institution is entitled to base its investment advice on a (correctly drafted) MiFID profile only. The law nevertheless also requires that the financial institution takes steps when the information on which the MiFID profile is based, is manifestly out of date, inaccurate or incomplete.99 The CRM profile can turn out to be a handy instrument to check this. An anomalous CRM profile can, in other words, be a reason to invite the client for an interview to determine whether his MiFID profile should be adjusted. An interesting question in this context is whether a financial institution that has the possibilities to keep CRM profiles can still choose not to. Can it be argued that a financial institution should keep trace of the actual investments of its clients and on that basis invite them to update their MiFID profile ? It may well be that in the near future financial
5.
Investment advice is a recommendation to a person in his capacity as a (potential) investor, who has a patrimonial objective and not an industrial, strategic or entrepreneurial purpose (in which case the financial institution would not give investment advice but could give corporate finance advice). See CESR, ‘Questions and answers. Understanding the definition of investment advice under MiFID’ CESR/10293. CRM techniques are often used via distribution channels (see point 4 above). However, the reference to distribution channels would be removed under the MiFID II implementing directive because there are a large number of cases in which a communication via distribution channels can be perceived by the client as personalized (for example a mailing that addresses the client by his name). See ESMA, ‘Consultation Paper MiFID II/MiFIR’, ESMA/2014.549, 16-17. 98 If the financial institution provides investment advice, the client can ignore the advice and still invest in a product which the financial institution advised against. 99 Article 37 (3) MiFID implementing directive 2006/73/EC (to be replaced by the MiFID II implementing directive in due course).
29
supervisors will consider this an element of professional behaviour in the best interest of the client.100
III.
Conclusion
52. Regulation – Compliance – Supervision. When financial law is discussed, financial supervision is usually mentioned in the same breath. This contribution focused on a third important, and closely related, aspect of an efficient financial law system: compliance by financial institutions. 53. Unprecedented amount of regulation. That financial regulation is an ever-changing area
of the law is an understatement. Since the establishment of the European Commission’s Financial Services Action Plan in 1999101, and especially since the introduction of the socalled Lamfalussy legislative method102, European financial law has gained momentum, culminating in a tidal wave of new legislation since the financial crisis. 54. Compliance. How to master this profusion of financial regulation, let alone comply, is one of the most ardent questions faced today by the financial sector. Especially smaller financial institutions risk to be regulated out of the market.
An important part of the answer seems to be to program compliance into computer systems. Such systematization has some undeniable benefits: compliance can be ensured much more quickly and efficiently. Moreover, the liability risk resulting from individual human errors is reduced. Systematization however also entails new risks and causes of potential liability: when the system is erroneous, this leads to liability risks at a far larger scale. In addition, building watertight systems tailored to the needs of a specific financial institution has a high price tag, which may be prohibitive especially for smaller players. The dehumanization that results from (computerized) systematization also raises new challenges.
100
A recent report of the Belgian conduct of business supervisor, the Financial services and Markets Authority (FSMA) goes in this direction. See FSMA, Zorgplicht. Vaststellingen en standpunten naar aanleiding van inspecties, (August 2014) 15: “Data on past transactions can contain important information on the veracity of the reported knowledge and experience of the client. If a client is for example suffering systematic losses on transactions with regard to certain financial instruments, but nevertheless indicates that he/she has knowledge of these instruments, the bank cannot presume that the client’s information is correct but should take steps to verify the veracity of such statement.” (free translation from Dutch). 101 Commission, ‘Financial S€rvices: Implementing the framework for financial markets: action plan’, Communication COM (1999) 232 fin. 102 The Lamfalussy legislative method is a legislative technique used in European financial law to speed up the legislative process. It is based on the idea that only the principles should be agreed upon in the ordinary legislative procedure, involving a proposal by the European Commission and codecision by the Council and the European Parliament (“level 1 legislation”). The technical details are then delegated to the European Commission which can adopt “level 2 legislation”. At “level 3” the European Supervisory Authorities (ESA’s) composed of representatives of supervisors of the Member States develop common implementing standards and the “level 4” finally consists of a compliance check by the European Commission. See Alexandre Lamfalussy and others, Final report of the committee of wise man on the regulation of European securities markets (15 February 2001).
30
Nevertheless, there do not seem to be many alternatives for systematization in tackling the compliance challenge. The legislator and the supervisor increasingly require or presuppose the use of (computerized) systematization as a compliance technique. This contribution has therefore attempted to list the problems of systematization and to reformulate them as challenges for which remedial actions have been suggested. In addition, the opportunities which systematization can offer in the future must not be overlooked. By way of example this contribution has entered into the possibilities of Customer Relationship Management and data mining by financial institutions. It was shown that although financial institutions should use such techniques with great care, they also offer opportunities for improved compliance. 55. Towards a cooperative supervisory model. In the complex maze of financial regulation, the supervisor increasingly takes up the role of intermediary between legislator and financial institutions, between law in the books and law in action, between rules and compliance.
An authoritarian, punitive model of supervision is therefore outdated. In my opinion, financial supervision should continue to evolve towards a cooperative model, in which the supervisor refines laws by recasting them into more concrete rules, guides financial institutions in their search for correct compliance and requires adjustments to their compliance systems and structures if necessary. Administrative sanctions merely serve as the supervisor’s ultimum remedium when failure to comply proves the result of gross negligence or mala fide practices. In this cooperative model of supervision, financial institutions in turn deliver essential input for the development of new rules, guidelines and best practices regarding compliance.
31
