Compliance costs don’t merely add up, they pile up—and represent one of the unruliest expenses in the financial services sector. Since 2011, compliance costs have increased by 43 percent and now tally on average more than $5 million annually. As if that weren’t enough, here is the bad news: Companies still do not spend enough.
To understand why, look at the cost of non-compliance. The cumulative expense of regulatory penalties, productivity losses, business interruption and settlement costs now totals $14.82 million annually, a 45 percent jump since 2011. To put that into perspective, companies pay 2.71 times more when they don’t follow regulations.
There’s plenty of room for financial services firms to spend more on data protection and cybersecurity. Looking at the dollars and cents reveals that the expense really represents an investment with a tremendous return. Firms need to understand this because the amount they pump into compliance is about to skyrocket.
“It’s clear that banks have to make an ongoing investment in compliance that not only satisfies regulators, but also gives banks a competitive advantage," says Karl Dahlgren, managing director at BAI. " Compliance is too often looked at as a necessary evil. Smart banks know that an organization-wide commitment to compliance delivers financial rewards."
The ABCs of the GDPR era
Today’s firms must manage massive amounts of data that contain highly sensitive details. This data careens daily through various digital channels and onto a swarm of mobile devices. At multiple points along the way this data becomes vulnerable to attack—and frankly, a loss of data is almost inevitable.
Modern hackers—tenacious and sophisticated—rely on a potent mix of advanced technology and social manipulation deployed in countless forms. Because banking and business data has so much inherent value, hackers specifically target financial institutions. That is why attacks on financial services firms quadrupled over the course of 2017.
Uniquely dire in the finance world, the cybersecurity issue also spans industries. Regulators know this—acutely—which explains why rules about data protection are becoming stricter and more sweeping.
The General Data Protection Regulation recently took effect in the European Union, but it impacts any company with European clients or partners or that collects data on Europeans. The GDPR requires companies to carefully safeguard data while also making it accessible and auditable. More significantly, it levies huge penalties on any company that falls short on compliance. Companies will pay up to €20 million (roughly $23 million) or 4 percent of annual turnover, whichever is higher.
GDPR’s biggest consequence is that non-compliance costs have risen exponentially. Running afoul of regulators always costs money—but now it’s an existential threat. And though GDPR may mark the first regulation of its kind, it’s likely not the last. Data protection and digital privacy represent two central issues of the 21st century and new regulations will come down the pipeline. As each takes effect, compliance and non-compliance costs jump.
Compliance spending and hidden costs
Compliance officers understand that the current and future regulatory landscape requires investing millions more in cybersecurity. But simply throwing money at the problem doesn’t provide an adequate solution.
Cybersecurity is imperative, but we can’t allow it to become obstructive. When security measures become confusing or cumbersome, they frustrate end users and slow workflows. Security compromises efficiency, which leads deadline-driven professionals to disable or work around protections in place. That puts the whole compliance effort in jeopardy and opens the door to a massively expensive cyberattack. So paradoxically, spending more on security can actually make organizations more vulnerable.
This puts compliance officers in a difficult position. They must enact new security measures as user-friendly as they are ironclad. So while compliance costs rise, complexity does as well. And if firms put the wrong defenses in place, cybersecurity is no longer an investment or expense. It’s just a waste.
Cybersecurity and strategy
To adopt more agile approaches to cybersecurity, banks and other institutions increasingly turn to cloud-based solutions. These solutions offer flexibility and adaptability that address today’s dynamic threat landscape. They also allow firms to scale their security to meet the rising demands of regulators—without scaling expenses proportionally.
Once solutions fall into place, banks can create a centralized, indexed data repository that subjects information to uniform protections and supervision. It’s also possible to tweak those protections to preserve productivity for end users. And because everything sits under one umbrella, auditing it for compliance purposes is easy.
Realistically, data protection will create enormous ongoing costs—but one with a tremendous upside. Regulators enforce new rules because consumers demand them: Most adults have fallen victim to a data breach and are increasingly appalled by how companies misuse their personal data. Conversely, they want to work with companies that can prove they take data protection seriously.
Ultimately, compliance achieves these ends. Rising regulatory penalties mean more bad publicity and greater public backlash against offenders. If regulations protect consumers, compliant organizations prove they deserve (and show) consumer respect. That becomes a powerful differentiator as consumers express increasing anxiety over their financial data.
Compliance isn’t just a cost of doing business. It’s much more—and rather than seeing it as a budget line item, financial institutions must embrace it as their modus operandi. If they can, they will satisfy not only their regulators, but also their customers and users. It is a question not just of regulation but also of revelation: that bankers who use their heads will come out ahead.
Want more Banking Strategies? Sign up for our free newsletter!
David Wagner has more than 25 years of experience in the IT security industry. He serves as the president and chief executive officer of Zix, an email security company, and previously held leadership posts at Entrust for 20 years.
If you enjoyed this artilce, check out BAI's recent white paper: GDPR: The General Data Protection Regulation.