Collective blind spots have not only led to some of the biggest fines in regulatory history but also have driven fundamental regulatory change. The financial services industry around the world has attracted some of the brightest and the best but that has not stopped collective blind spots being an apparently perennial Achilles heel. 

In 2012 the London Interbank Offered Rate (LIBOR) collusion came to light, with evidence suggesting it had been going on for a decade. There was a collective blind spot amongst the risk and compliance community about the rate-fixing in which many of the world’s leading banks were implicated.

Swathes of regulatory action followed including fines, legal action and other sanctions culminating in LIBOR’s validity as the global benchmark being irrevocably damaged. Costs were incurred by the entire industry as LIBOR was phased out by the end of June 2023. 

The collective blind spot centered around whether the provision of the input into the LIBOR interest rate calculation was overtly regulated. The wider picture of potential collusion and fraud appeared to have been missed with, apparently, neither risk, compliance nor internal audit functions raising it as an issue.

Off-channel comms

The off-channel communications debacle has played out mostly (so far) in the United States with close to $3 billon in fines levied against firms for failing to capture and retain business communications. One of the most striking features of the detail of the sanctions imposed is that so many senior people were involved in the rule breaches, the risk surveillance and compliance oversight functions expressly included. It appears it simply did not occur to key senior individuals that conducting business communications through non-recorded channels, no matter what their internal policies and procedures might state, was not permitted. 

The regulatory focus on off-channel communications is continuing with not only more fines being issued in the US but also, reportedly, with the FCA having sent a survey to a number of banks asking them to “provide a list of confirmed breaches of unmonitored and/or encrypted applications policies that have been recorded in the UK over the last 12 months.” 

In addition, firms are asked for specific details of how senior the individual concerned was, what business area they were in, and how the breach was picked up. The FCA also wants to know the “disciplinary outcome or impact on compensation and promotions.” 

It appears it simply did not occur to key senior individuals that conducting business communications through non-recorded channels, no matter what their internal policies and procedures might state, was not permitted. 

Regulators around the world are distinctly irritated by the off-channel communications breaches, as it obscures their line of sight to the business being conducted. A point summed up by CFTC Commissioner Christy Goldsmith Romero who, in a statement in support of holding banks accountable for the widespread use of personal text messaging and/or WhatsApp to evade regulatory oversight, had this to say.

“Tone at the top dictates a bank’s culture and that tone must change on Wall Street and large foreign banks. The tone at the top the CFTC found was one of evasion, keeping regulators in the dark. Change can only happen if the bank’s C-suite establishes a culture of compliance over evasion. It is far past time for the C-suite to step up.”

On the surface it might appear that there is little in common with the collective blind spots at the heart of the LIBOR and off-channel communications regulatory breaches; however, both appear to have occurred without warnings being raised by risk and compliance functions. That begs the question – why not? It is entirely possible that the GRC functionality within firms had not, for whatever reason, stepped back and taken a wide, helicopter view of the business and its risks.

Root cause analysis

That lack of a helicopter view was compounded by an apparent lack of root cause analysis which could have given an insight into possible widespread breaches.   

As experienced compliance officers know, root cause analysis is an invaluable tool in the GRC arsenal for both robustly solving problems and also investigating if a root cause could be the source of an issue elsewhere in the business. A key example is Morgan Stanley which got fined on both sides of the pond for the same underlying issue. The UK’s independent energy regulator, Ofgem, fined the firm £5.41m ($6.69m) in August 2023 for not recording and retaining electronic communications between January 2018 and March 2020.

It was the first-ever fine issued in Great Britain under legal requirements to record and retain electronic communications relating to trading wholesale energy products. (See also Morgan Stanley fined $6.8m by UK energy regulator for comms recordkeeping failure.)

In September 2022, Morgan Stanley was one of 16 firms fined more than $1.1 billion by the SEC. The firm itself was fined $200m for off-channel communications and associated recordkeeping breaches ‘from at least January 2018 to September 2021’. So, for much the same time period, the same underlying wrongdoing was happening in at least two very different parts of the same group. 

Whatever happened or changed in January 2018, staff in multiple locations began ignoring internal policy and started using external (off-channel) means of communication. And it appears that the risk and compliance functions not only didn’t raise it as an issue that needed to be remediated but, at least in the US, were seen to be part of the problem. 

Hindsight is a wonderful thing and in an ideal world the GRC functions within the firm would have spotted the off-channel communications early and then undertaken a firm-wide (global) root cause analysis to assess whether the issue had occurred elsewhere in the business. That review would have had the opportunity to nip the widespread breaches in the bud and save the firm millions.

Sharing risk

Given the collective blind spots on LIBOR and off-channel communications were so pervasive, what could, in practical terms, be done to prevent a repeat? One option, which could have myriad additional benefits, is the (re)establishment of a routine and regular GRC inter-firm risk and compliance gathering behind closed doors.

Trust would have to be built as well as a commitment to share emerging risks. It would not be a case of washing dirty linen in public but more a “have you seen/have you thought about” discussion together with an open sharing of ideas as to both cause and remediation. It is entirely possible that if multiple firms had shared a similar possible concern, that would have triggered risk and compliance functions to take a closer look.

As a matter of course, care would be needed to ensure no proprietary, inside or competitive information was shared. Approached in the right way, greater structured coordination and cooperation between risk and compliance functions could be achieved and future collective blind spots potentially averted.