Reduce "cost of compliance"

Effectively managing regulatory requirements

Regulatory Office: Effectively managing regulatory requirements Comment

Banks are complaining about the increasing, practically unmanageable complexity of regulatory requirements, and about the huge implementation costs that institutions have to bear. However, there is no end to the flood of regulation in sight. Against this backdrop, it is increasingly important for banks – including small and medium-sized ones – to concentrate on developing an appropriate management approach to deal with the constantly growing abundance and complexity of regulatory requirements. Moving towards efficient and effective management of requirements includes an effective governance, an integrated management process and a central coordinating body – a regulatory office.

Proactive management required

The number, extent and complexity of regulatory requirements have risen continuously in recent years, bringing immense challenges for all financial institutions. The comprehensive work programs from the EBA, ESMA and the Basel Committee make one thing very clear – there is unlikely to be any pause in regulation in the coming years. But it is not just the number of regulations that is on the rise, the rate of change is also increasing. At the same time, the number and scope of external audits has risen significantly and regulations under criminal law have been intensified.

Taking a purely reactive and relatively belated approach to regulations remains typical. Audits are often followed up with ad-hoc measures and projects. In many institutions, responsibilities for implementing regulatory requirements are still not clearly defined. Requirements are looked at in isolation and interactions with other projects are ignored. Non-standard terminology and lack of communication between affected areas lead to ineffective, time-consuming coordination processes and to misunderstandings. The "cost of compliance" is unnecessarily high. There is frequently a lack of standardized reporting on the implementation status of regulatory requirements and on compliance with all relevant regulations. Those responsible often end up feeling uncertain about whether all the requirements have been met in a legally compliant way and whether the internal control mechanisms are sufficient.

To implement regulatory requirements comprehensively, sustainably and efficiently and to monitor compliance, these requirements need to be assigned to organizational units and processes, where they can be efficiently managed and implemented. In terms of risk governance, the "three lines of defence" model is currently considered the best practice model. This governance model involves a clear and appropriate definition of roles, responsibilities and accountability. Effective and efficient coordination and cooperation across the three levels ensures that there are no control gaps or redundancies.

Comprehensive monitoring of regulatory changes

In view of the plethora of regulations from different sources, creating sufficient transparency regarding the regulatory requirements that are relevant to the institution is a huge challenge. Taking into account only regulatory obligations, German financial institutions alone are subject to more than a thousand legal texts, directives, bulletins and guidelines. It is also vital to keep up to date on future developments. In practice, it is only possible to gain an overview of the flood of regulation by using a comprehensive and structured database.

In addition to a comprehensive inventory of all relevant regulations, the basis for an integrated management process for regulatory changes is a systematic taxonomy of regulatory issues that influence the organization. To achieve this, regulations are firstly categorized and logically grouped together (for example compliance, anti- money laundering, fee-based advisory services, capital requirements), and secondly assigned to organizational units, business processes, internal regulations and systems or data categories.

Analysis of whether the bank is affected by a regulatory standard can initially be carried out generally at the level of the affected organizational units. At the second stage, a sound analysis of impact and affectedness is performed using detailed checklists.

An integrated IT system for all information relating to regulation and compliance is an essential component of an integrated overall process. This IT system provides the basic information on all relevant regulatory requirements, identifies the outstanding weaknesses and the defined measures including responsibility for implementation and accountability, and supplies updates on the status. The system ensures that all affected areas – from the executive board to experts and those responsible for specific issues – are continuously notified of relevant regulatory requirements and are involved in analysing and reviewing the need for action.

The "Regulatory Office" as a central coordination function

Regulatory requirements are becoming such a crucial factor that meeting them can no longer be left to an uncoordinated process. The number and complexity of rules make it essential for banks to create a central department focused on monitoring and analysis of developments – a "Regulatory Office". Only a bank that has central project management to deal with regulatory requirements can ensure that all requirements are dealt with professionally and efficiently.

A Regulatory Office eases the burden on all the other organizational units and enables them to focus on their core tasks. Since the Regulatory Office is a central department that deals with all regulatory requirements, it guarantees that evidence of compliance is available at all times. And because it maintains regular contact with banking supervisory authorities and continuously monitors regulatory developments, it acts as an early warning system. It can anticipate changes and imminent new developments and initiate internal discussions and decision-making processes at an early stage, if there are implications for business strategy for example.

The Regulatory Office reports directly to the executive board, maintains relationships with national and international supervisory authorities and is in regular contact with them. At all times, the Regulatory Office is able to provide information on all projects and initiatives that are important in terms of regulation. In addition, it will develop a sound understanding of supervisory relationships and the workings of bank supervision, making cooperation with the authorities much easier. For their part, the supervisory authorities benefit from the fact that a central department can deal with their enquiries more quickly and efficiently.

Proactively meeting the challenge of regulation

In addition to digitalization and the low interest environment, regulation – and its growing scope and increasing complexity – is the issue that currently dominates the financial sector. For banks, it is vital to build up appropriate structures and instruments to implement the requirements efficiently and effectively and to ensure compliance at all times. An effective solution, such as that described here, has three components: effective governance, an integrated management process for regulatory changes and – last but not least – a central coordinating department in the form of a Regulatory Office. Banks can come to terms with the flood of regulation. This is also true of small and medium-sized institutions. In conjunction with appropriate technical tools and, where necessary, targeted outsourcing of tasks, even they can create sustainable structures to reliably implement and comply with the regulatory requirements they face.


Dr. Martin Rohmann, Managing Director, ORO Services GmbH, Frankfurt am Main.


Note: The article was published first in FIRM Yearbook 2016th Download the FIRM Yearbook 2016 under

[ Source of cover photo: © ra2 studio - ]
Risk Academy

The seminars of the RiskAcademy® focus on methods and instruments for evolutionary and revolutionary ways in risk management.

More Information

The newsletter RiskNEWS informs about developments in risk management, current book publications as well as events.

Register now
Solution provider

Are you looking for a software solution or a service provider in the field of risk management, GRC, ICS or ISMS?

Find a solution provider
Ihre Daten werden selbstverständlich vertraulich behandelt und nicht an Dritte weitergegeben. Weitere Informationen finden Sie in unseren Datenschutzbestimmungen.