The compliance function at an inflection point

| Article

The 2008 financial crisis brought compliance into sharp focus. At financial institutions worldwide, failures related to compliance led to fines and losses topping $300 billion in the ensuing years—damage approaching the proportions of crisis-induced credit losses. Compliance woes have not gone away since: recent McKinsey research indicates that most senior managers feel more comfortable with their credit-risk management than with their control of compliance risk. The reason for the discomfort is the inchoate state of compliance standards. Best practices for compliance risk are still emerging, few agree on the most effective organizational approach, and business ownership of compliance risk is weak.

Institutions have heavily invested in compliance over the past ten years. Costs increased to unsustainable levels, so banks are now seeking to improve the efficiency as well as the effectiveness of their compliance departments. With standards still emerging, however, tracking developments and comparing compliance performance with peers have proved difficult.

To address this gap, McKinsey launched a compliance benchmarking effort in 2017, with 22 leading institutions from Asia, Europe, and North America, participating. We have updated this effort for 2018, with 24 leading institutions. Both global systemically important banks (G-SIBs) and non-G-SIBs participated. What follows is a report on our latest findings, along with insights from our discussions with executives at the banks that took part. Our aim is to provide a robust fact base for institutions exploring the potential for enhancing their compliance function.

Compliance-spending growth is slowing

In response to regulatory feedback and industry-wide failures, many institutions have expanded the mandate and size of their compliance function over the past decade. However, this growth seems to have peaked. While nearly half our sample of banks saw their costs rise by more than 20 percent during 2014–16, that share fell to one-quarter for the 2015–17 period. Three-quarters of respondents expect compliance costs either to stabilize or fall in the coming year (Exhibit 1).

1
In McKinsey’s 2018 compliance benchmarking survey, most banks reported compliance costs would remain at or near 2017 levels.

Despite the cost pressures many banks face, only six responding institutions expect to reduce the size of their compliance function this year. The two banks that said their compliance costs would rise by more than 10 percent were special exceptions, as the extra spending is needed in one case for a major regulatory remediation and for building out a previously underdeveloped function in the other.

Size and effectiveness are not yet in balance

The proportional size and budgets of compliance functions vary significantly from bank to bank, an indication that compliance has yet to establish a recognized, sustainable balance between size and effectiveness (Exhibit 2). McKinsey’s 2018 survey revealed that the share of resources dedicated to regulatory compliance alone in an average compliance department is 0.79 percent of total full-time equivalents and 0.4 percent of total revenue.1

2
The size and costs of compliance functions vary significantly among banks.

The banks with the largest compliance functions tend to be those under strict regulatory scrutiny, whether because of their position in the financial crisis or recent compliance failures (such as rogue-trader incidents or market abuses). The survey results also reveal that global systemically important banks (G-SIBs) spend more and maintain relatively higher levels of compliance resources than other banks, likely because they too are under greater regulatory scrutiny. One conclusion we were unable to draw, however, either from the survey results or from our conversations with executives, was the correlation, if any, between size and effectiveness in compliance functions. In conducting the survey, we observed considerable variation in the ease with which banks were able to provide the information we sought. At some banks, the information on head count and spending was readily available; at others significant resources had to be devoted to finding it. In general, the banks that had greater control of this information also performed better in the compliance maturity self-assessment described in the next section. The variations highlight the importance of professionalizing the compliance function. One step in this direction that larger institutions could take is to appoint a chief financial officer for compliance; for smaller banks, a chief of staff responsible for managing the function’s infrastructure would be more appropriate.

Banks assess the maturity of their compliance function

As part of the survey, respondents were asked to assess compliance maturity in five areas: foundational capabilities, core policies and oversight, critical business and management processes, personnel, and control systems. The results are illustrated in Exhibit 3. The profile of compliance-function capabilities that emerged from the assessment was a varied one. Most banks scored low in areas relating to control systems, including automation, monitoring and assessment, reporting and management-information systems, and analytics. In line with these results, the executives we spoke with were keen to explore how best to use data, analytics, and technology to improve the compliance function and capture untapped potential.

3
The maturity of compliance functions varies by category.

Some non-G-SIBs are enhancing their more basic compliance expertise. Along with some G-SIBs, many non-G-SIBs reported challenges in integrating compliance management within their broader management of risk. Challenges include the need to build a robust risk taxonomy and control library and to integrate compliance within enterprise risk management. The chief compliance officers (CCOs) at non-G-SIBs reported that they were struggling to strengthen core capabilities without making their compliance functions much larger. They were doubtful that following G-SIBs in significantly expanding their function’s size and spending would be an appropriate approach for them.

Automation and analytics remain a challenge

Few banks have cracked the code on applying automation and analytics effectively. Many CCOs reported a sense of frustration that much of the investment in technology was going into end-user tools that required constant attention or quickly became obsolete. The result is that resources are being drained as banks do little more than maintain the status quo.

Another source of frustration according to respondents was the absence of a technology strategy or perspective on how to drive digital change in compliance. Although CCOs were constantly approached by vendors offering technological solutions to various problems, these executives struggle to articulate what they want or to indicate use cases that would allow them to start unlocking value. Many had seen several proofs of concept but no real impact or scale was ever achieved.

Spending more on technology does not guarantee maturity

The difficulties around automation and analytics underscore a key finding from the survey: that the scale of a bank’s spending on technology is not a reliable indicator of the level of maturity attained in the application of technology in compliance (Exhibit 4).

4
The attainment of technological maturity in compliance is not simply a function of higher spending.

Some banks were spending in excess of $50 million a year on technology to support compliance without seeing much progress in its mature application. Among the banks surveyed, the average share of technology in overall compliance costs was only 9 percent, but this share varied among individual banks, from around 1 percent to above 20 percent. The great bulk of compliance spending (79 percent) remains devoted to personnel costs (Exhibit 5).

5
Personnel accounts for more than three-quarters of compliance costs.

Survey respondents are exploring the use of advanced analytics and technology in fraud detection, transaction monitoring and screening, “know your customer” (KYC) processes, and trade surveillance. Compliance and business stakeholders are also evaluating approaches to streamlining and automating banks’ monitoring and testing processes, since these processes involve about one-fifth of compliance employees on average across our sample.

Representatives from both the first and second lines of defense reported difficulties in developing an efficient operating model for monitoring and testing, one that would ensure clear roles and responsibilities, eliminate overlaps, and increase effectiveness. However, some banks reported early successes in using robotic process automation and natural-language processing to support monitoring and testing. All respondents agreed that the adoption of continuous monitoring with automated controls should reduce the need for traditional sample-based testing.

Where next for compliance?

Our survey results and discussions with executives suggest that compliance has reached an inflection point. As regulatory pressures intensify, competition increases, and costs are squeezed, banks need to make their compliance risk management more efficient and effective. We see five actions as critical to achieving this goal.

1. Getting the fundamentals right

Most survey respondents are still filling gaps in basic compliance capabilities. Needs include controls, key risk indicators (KRIs), integration with enterprise risk management (ERM), and regulatory applicability. Many banks are now working to develop cohesive ERM frameworks and ensure the alignment of risk and control taxonomies, policies and procedures, monitoring and testing, risk assessment, and roles and responsibilities across all control functions. Some banks are integrating parts of their risk functions, such as regulatory and financial-crime compliance, as well as integrating operational and compliance risk more broadly. They are starting to adopt more forward-looking, sophisticated KRIs that support active real-time risk management. They are also exploring how to use advanced analytics in conduct risk, trade, communications surveillance, and other areas. Large banks are beginning to rationalize, automate, and streamline their controls. Better controls improve the effectiveness not only of risk mitigation but of monitoring and testing as well.

2. Strengthening risk ownership in the first line

Risk management and oversight depend on the first line playing its role, but with the more recent view of compliance as a risk rather than a legal obligation, business ownership of compliance is still lacking. The culture of compliance management needs to be strengthened in the first line through role modeling, an aspiration and tone set from the top. Banks then need to adopt formal mechanisms such as performance evaluation while ensuring that the right skills and tools are in place.

The future of risk management in the digital era

The future of risk management in the digital era

3. Streamlining compliance processes

Compliance requirements are often added to existing business and functional processes instead of being treated as complete end-to-end processes in their own right. This approach can lead to multiple handoffs and a lack of clarity over roles and requirements, as is often seen in KYC processes during customer onboarding. In addition, many compliance processes are highly manual or supported by outdated tools. All this means that there is ample scope to optimize compliance processes. The best method involves streamlining these processes from beginning to end across functions as a first step, and only then looking at opportunities for automation and digitization.

4. Adopting a dynamic technology-enabled approach to risk management

Our survey results indicate that compliance functions are in need of a technological overhaul to enhance systems and tools in management information, reporting, monitoring, and assessment. Adopting next-generation governance, risk, and control solutions is one option. Banks are already applying advanced analytics in areas such as transaction monitoring, trade and communications surveillance, and monitoring and testing. To help prevent the proliferation of proofs of concept that will be difficult to expand to scale, banks should establish a robust process for challenging analytics and automation use cases. Only those that can be implemented practically and are likely to have the most impact should be approved. Banks can then build minimum viable products and expand to scale, taking care to map each opportunity to specific process steps and requirements. Other key success factors include a two-tier IT structure, a dedicated data lake, and a cross-functional and agile way of working.

5. Building compliance talent

Talent is a crucial enabler of any compliance transformation. Most banks have already begun to approach compliance with a risk-manager mind-set, eschewing earlier, more legalistic approaches. The next wave of change, already visible, is toward a data-driven and analytically enabled function. Leading banks are now beginning to set up talent academies to enhance the data-and-analytics capabilities of their employees.


Rising compliance demands in the wake of the financial crisis led banks to expand their compliance functions year after year. With further growth largely unsustainable, compliance is now at an inflection point. Greater efficiency and effectiveness are needed and automation and advanced analytics offer powerful methods and tools to help banks meet this need.

Those institutions that move quickly will reap the rewards and help set the standard for the next-generation compliance function.

Explore a career with us