Catherine Sutcliffe of Moxie Rules explores four main challenges compliance and regulatory professionals face in today’s financial industry.
I don’t think I’m disillusioning anyone when I say “control and patrol” roles—by which I mean jobs in compliance, risk, audit and the regulators—are not considered the sexy end of finance. In Joris Luyendijk’s Swimming with Sharks , he asks people to describe their jobs in terms of what animal they would be: traders see themselves as “wolves” and “tigers”, “quants” are “wizards”. In contrast, control and patrol roles are less feisty in their assessment. “Animal? I’m the zoo-keeper!” responds one compliance officer. Another compares himself to a “dog who likes to be kicked.” A regulator thinks of an elephant: powerful and clumsy—you hear them coming.
Which got me thinking: these roles are extremely important, never more so than after the 2007-08 crisis. So why is there often that mixture of self-deprecation, humour and — yes — weariness by the good folk doing them? Having worked in regulatory and compliance roles for well over a decade, I’ve given this a good deal of thought and often chatted about it with contacts of mine who also do these jobs. Here are four reasons why I believe control and patrol roles throw up some specific challenges, but why it’s far from all bad.
The breadth and depth of stuff you’re supposed to know
When the so-called “London Whale” trader at JP Morgan lost over $6 billion back in 2012 , the US authorities called in senior risk staff to ask what they did when they realised there was an issue. “We asked for an explanation and the plan to get out of this position”, they replied. The London Whale presented the following:
“Sell the forward spread and buy protection on the tightening move, use indices and add to existing position, go long risk on belly tranches especially where defaults may realise, buy protection on HY and Xover in rallies and turn the position over to monetize volatility”.
The financial world is a sprawling one, encompassing sell side and buy side, wholesale and retail, trading securities and selling products, investment management and financial advice, wealth management, clearing, settlement…. The deeper you go, the more specialised the role.
In the biggest trading operations, desks cover specific financial instruments for specific industries for specific geographical areas. It’s their job to know what goes on in their niches really well, whereas colleagues in control functions and regulators usually have a wider remit and therefore a broader but less deep knowledge-base than frontline staff. After all, we don’t have one-on-one compliance officers or regulators.
So back to the “London Whale” trader’s explanation of how he was planning to get his position out of a very expensive hole. Are you mulling over whether this could have been a workable strategy or sat there thinking “what the…?” Well, none of the senior risk staff called to give evidence could explain clearly what this meant. This illustrates to me two points: firstly, patrol and control role colleagues usually cover people who have a deeper knowledge than they do. Secondly, saying you don’t understand what someone is talking about is at best very uncomfortable and at worst, credibility crushing, because if you’re monitoring, you should know, right? It takes a brave soul to say “I don’t understand that, explain”.
But as well as knowing how the business operates, you also have to grapple with a lot of rules in these roles and while your knowledge of financial regulations may qualify you to be a contestant on Mastermind, you’re still not going to know all of them. Take the Markets in Financial Instruments Directive (MiFID) II: when it went live on 3 January this year, the statistic cited in many articles was that it comprised over a million paragraphs of rules. And MiFID II is only one part of a suite of hefty rules brought in after the financial crisis: there is the European Markets Infrastructure Regulation (EMIR), the Alternative Investment Fund Managers Directive (AIFMD), the Capital Requirements Directive (CRD) IV, the Capital Requirements Regulation (CRR), the Packaged Retail Investment and Insurance-Based Investment Products regulation (PRIIPs), the Undertakings for Collective Investment in Transferable Securities (UCITS) V, as well as national regulators’ rulebooks… well, you get the drift.
No one person can digest all of that information, let alone figure out how each of the rules should be applied practically to different business streams. But there’s more: as well as understanding both the business and the financial regulations, you have to translate what these often abstract rules mean into something the business can understand, as ownership and implementation into day-to-day operations and complex business models lies with them. This can be incredibly difficult. As we’ve seen with MiFID II, the rules have to apply to a huge range of different business models, so they need to be sufficiently high-level to mould themselves to a range of scenarios. Therefore, to the ever-asked question (usually said with a touch of impatience) “so what does this rule mean we have to do?” there’s no single or absolute answer: it takes judgement and risk appetite.
Proving you’re good value, not a business blocker
“Control-role people are judged with the benefit of hindsight: when something goes wrong we were expected to have spotted it. We control the known knowns but it’s against the unknown unknowns that we are judged.”
Senior Compliance Officer
How do you prove your value in relation to something that didn’t happen?
This is a peculiar difficulty facing control and patrol colleagues, but it’s actually where some of their biggest contributions and business benefits lie when it comes to the bottom line. What would happen if they weren’t there?
Whether they’re seen as a business blocker depends on the culture of the company and the importance it ascribes to control functions: some value them very highly. But—let’s be real—it’s not unheard of for risk and compliance to be considered a nuisance that needs to get out of the way of the business. And if control functions are seen as business blockers, there’s a risk that the business instinctively keeps them out of important developments until very late in the day, at which point, if compliance raises a concern when everyone else is ready to hit “go”, the perception of them as a business blocker is reinforced.
Part of the difficulty is that when something goes right, such as the successful launch of a new product or landing a huge deal, those on the control-patrol side remain in the background. Rightly so: that’s not their job. However, when something goes wrong they’re name-tagged, meaning these roles tend to be coupled with the bad rather than the good, something not lost on the business. Equally, when things do go wrong, they’re rarely things which were foreseen. As one compliance officer put it to me, “control-role people are judged with the benefit of hindsight: when something goes wrong we were expected to have spotted it. We control the known knowns but it’s against the unknown unknowns that we are judged.” Compliance staff and regulators do of course scan the landscape to assess where new risks may arise—such as all the work being done in FinTech—but figuring out what can go wrong in a brand new way is incredibly hard.
And speaking of regulators, they face continual scrutiny from both politicians and the industry to prove they’re not business blockers either. When things are rubbing along nicely, questions along the lines of “do we really need all this?” tend to multiply at both micro and macro levels. For example, in May 2005 as the economy boomed and things were fairly crisis-free, then-Prime Minister Tony Blair took a swipe at the UK regulator, the Financial Services Authority (FSA), for being seen as “hugely inhibiting of efficient business by perfectly respectable companies that have never defrauded anyone“. 
Answering to multiple masters
“You can please some of the people all of the time, you can please all of the people some of the time, but you can’t please all of the people all of the time.”
(Quote attributed to 15th Century British monk and poet John Lydgate)
Internal control colleagues are paid for by the business, and they’re there to serve the business, which in practice means following senior management’s strategy. But they are also the first port of call for regulators who expect them to uphold their rules and ethics. If teachers are in loco parentis then internal control staff are in loco regulatis (yes, made-up Latin). That’s two powerful sets of people they need to answer to. Ideally, there would be no conflict between what each set wants, but as every internal control officer knows, that’s not always the case. The regulator may demand more than the business wants to do, or what has been done is deemed not right.
Depending on the issue at stake, the risk or compliance officer often finds him/herself agreeing more with one party than the other. It’s a balancing act with their role being to satisfy both and that can be hard. This point goes back to the issue of culture discussed above. If the firm hasn’t bought into the need for a robust risk and compliance framework, then it’s an uphill struggle for internal control roles, but arguably their presence is more important now than ever.
Regulators also, as illustrated in the Blair point above, have to balance a range of powerful stakeholders and operate in an evolving environment shaped by the political and economic times. For example, the high-level principles driving many of the post-crisis financial regulations have been handed down from the G20 and filtered into detailed rules through the European Union before reaching national rulebooks. This means that national regulators’ ability to shape domestic regulations is constrained.
Supervising people paid more than you
In 2007, Bob Diamond, then head of Barclays’ investment banking arm, earned £21million, while his boss, Barclays CEO John Varley, was paid around £2.4million, according to various press reports (these figures include basic salary and bonus) .
It can be hard to exert authority over people paid more than you. This point struck me when Barclays was under the microscope during the financial crisis and it was widely reported that Bob Diamond earned substantially more than his boss, John Varley.
While not impossible, reining in someone who may earn multiples of what you earn can be difficult, for a couple of reasons. Firstly, because so often money is used as the measure of someone’s worth and success, especially in the finance sector, which is all about money. Someone is paid more, ergo they are more valuable. Secondly, attached to this hard cash measure is the subtler impact on the individuals’ egos. People bringing in the money are usually paid the higher salaries and high salaries tend to fuel self-confidence/self-importance precisely because it is seen as a measure of success. It becomes a self-reinforcing circle.
There’s another point worth mentioning here: the usual law of order in hierarchical structures is that higher salaries go hand in hand with seniority. However, a compliance officer or regulator may have seniority/ authority over a revenue-producing colleague but a lower salary. This isn’t to say regulators and compliance staff aren’t well remunerated or that it’s unfair. Revenue-making colleagues face a whole range of different pressures and the hire/fire culture can be particularly brutal for them. But we shouldn’t be surprised if control and patrol folk find themselves having to fight against the impulse to be deferential when the task in hand is to challenge.
But it’s far from all bad
It’s almost two decades since the FSA was created and a decade since Lehman Brothers defaulted. Both of these events have had a big impact on control and patrol roles, embedding their importance into the system.
The FSA, itself created due to the recognised need for a stronger regulator, put the roles of compliance and risk at the heart of its regime. As one compliance officer noted: “many professionals in the industry have only ever worked in an FSA or FCA regulated world and they understand the job we do for them so, whilst there is the odd individual who still treats compliance with disdain, there are far fewer now”. Crucially, senior management have become increasingly invested in the importance of getting risk and compliance right. Stelios Haji-Ioannou, the entrepreneur behind Easyjet, said “If you think health and safety is expensive, try an accident” and having been burnt by section 166 reviews, fines and industry-wide reviews, this view is now more widely shared in the upper suites of financial firms. The FCA’s new Senior Management and Certification Regime, which enhances personal accountability for decision makers, underscores this direction of travel.
However, no event in recent memory serves to illustrate the importance of strong internal control and regulatory oversight, or the cost of an “accident”, than the default of Lehman Brothers when, for a few heart-stopping hours, the global economy teetered on the brink of collapse. These roles are integral to fostering a ‘safer’ market and play a vital part in protecting the firm, the financial industry, and—as became clear from the financial crisis—the economy of the country itself. That’s worth recalling if you’re someone who looks for the higher purpose in his or her work.
For the curiously minded, the ever-evolving world of finance means there is always something new to learn, and while the rules themselves make dry reading, they provide a window into how the financial industry works and the politics driving the day. Particularly over the last ten years, following the financial crisis, the rise of fintech and now Brexit, to work in these roles really is to work in key matters driving the headlines.
Control and patrol roles are not easy, but they are an integral part of the financial industry and can be very rewarding. No company is likely to issue a press release saying, “Kudos to compliance, plaudits to audit—they stopped us doing something that could have cost us millions in fines and redress down the line.” However, you being there and doing your job will at least put speed bumps in the way of bad practices and at best, contribute to a thriving business.
I’d be keen to hear whether the challenges and upsides I cover in this article resonate with your own experience in a control and patrol role? If you have any comments, please email me at firstname.lastname@example.org (all comments treated in confidence).
 Swimming with Sharks: My Journey into the World of the Bankers by Joris Luyendijk, first published in 2015, Guardian Faber
 Permanent Subcommittee on Investigations, Majority and Minority Staff Report: JP Morgan Chase Whale Trades: A Case History of Derivatives Risks and Abuses Page 1. Link here
 As above Page 74. Link here
 Tony Blair’s Speech to the Institute for Public Policy Research entitled ‘Risk and the State’ 26 May 2005, discussing the compensation culture. Read the full speech here
 E.g. see Reuters article, 27 March 2008 here
 Independent Newspaper, 26 May 1996 “Profile of Stelios Haji-Ioannou: Travel’s agent orange”. Read article here
 Under section 166 of the Financial Services and Markets Act, as amended by the 2012 Act, the FCA and PRA have the power to obtain a view from a third party (a ‘skilled person’) about aspects of a regulated firm’s activities if it is concerned or wants further analysis. Read more here