Responsible compliance

With over 1100 branch offices, 10 million retail and nearly a million corporate customers, Nordea is a Nordic banking powerhouse. Indeed, with 4.3 million of its customers banking online, Nordea can lay claim to the title of operating the largest internet bank in the world.

In common with its contemporaries throughout Europe it is facing up to the challenges of the modern business environment – growing regulatory demands, security concerns, and the complexity of operating across national borders and regimes. And as Head of Group Compliance at the bank, Sonja Lohse has a lot on her plate. Fortunately she was kind enough to find some time in her schedule to give FST the benefit of her experience.

We begin by discussing how Nordea approaches the compliance function across its operations. “It’s a decentralised organisation,” she says. “The unit I head up is in charge of the infrastructure, setting priorities and identifying the main compliance issues. We then have a centralized network of compliance officials in the business area, who take care of the hands-on compliance activities.”

So you’re not involved in these hands-on activites then? “Well I wouldn’t say that. We have a group compliance committee, which includes the head of each business unit, and we’ll look each year in a bit more detail at the specific compliance issues we’re going to focus on.”

MiFID

So we ask, what this year are the priorities for 2007? Presumably, we ask MiFID is high on the agenda? “Well, of course,” she chuckles. “For this year it’s quite clear that we have the responsibility to coordinate the implementation of MiFID. But we’ve also go to look at the implementation of the Third Anti-Money Laundering directive. These are the clear priorities specifically for 2007.”

This is an issue that is going to be taking up a lot of compliance effort throughout the European industry. So what are the challenges specific to Nordea that MiFID and the Third AML Directive pose? One of the main issues for Lohse is simply the volume of work: “It’s a very detailed, and in a way time consuming exercise, just because of the level of detail we have in the directive.”

However, looking beyond the detail at the wider logic of the new regulations, Lohse is fairly relaxed about Nordea’s starting position. “Nordea has fewer problems than some companies in Europe, because we have always had a very high level of investor protection in the legislation of the Nordic region,” she argues. “We have always had to provide transparent procedures and so on. So the basic ideas in MiFID are not so challenging for us.”

This is in part due to the existing IT systems that Nordea has already developed. Lohse doesn’t see any problems with the existing systems as it builds up to MiFID. The main effort lies in adapting the bank’s internal procedures. “According to MiFID you need to very much document processes that may already be in place in policies. It’s not a difficult exercise, but it’s a bit time consuming for the time being, just to write everything down.”

It might be a surprise to some that, if these processes are already in place, they’re not already documented. Lohse goes on to explain this is a facet of the Nordic environment. “We’ve always had this culture of having basic execution and conflicts of interest policies and so on – what we’d see as a good corporate culture,” she explains. “We really stress that each manager and employee feels responsible for his or her work. But we also have a non-blame culture – so if something goes wrong, you just tell your boss and about it and you correct it.”

What this has meant is that the bank has not had the same monitoring and controlling requirements as some of its European peers, and it is this that it needs to get into its routines. “It’s very clear in both MiFID and the AML Directive that you need this visibility, that you can show that you have those procedures in place.”

So is this exercise in crossing the t’s and dotting the i’s just a cultural issue, or does it mean upgrading the technology applications? “Of course we need to build this into our IT systems, and don’t misunderstand me. We have had controlling routines before of course, it is just there is a new emphasis in MiFID.” It’s a case for Nordea then of going back through the existing structures and mapping the areas where work is needed to ensure the specifics of the legislation are met.

Geographic reach

With operations in so many different European countries, how does this geographic reach affect Nordea’s approach to MiFID? “Well we’re running a business wide project, with each area of the business implementing at the local level, almost as sub-projects,” she replies. But, with perhaps the exception of the retail arm, most of Nordea’s businesses are already used to working in a cross-country setup. This means, according to Lohse, that they are used to acknowledging that the same procedures should be in place across different geographies.

However, Lohse is clearly slightly irritated by the differing ways MiFID is reaching ground level in different European countries. “What is a bit, how would you say, challenging is that we can clearly see that there won’t be full harmonisation in the way European countries implement MiFID or interpret different requirements at the level of the FSAs.” The result being that part of the project is to acknowledge that there are some specific extra requirements in particular countries – a process that adds complexity to a process that’s ultimate aim is simplification.

But couldn’t Nordea short-circuit this process by centring ownership of compliance operations in one ‘home’ country we ask. After all doesn’t MiFID allow this passport idea? Unfortunately this isn’t really an option for the bank at any time soon. As the result of several mergers, Nordea has a very fragmented structure. For example, Lohse points out that it has “one legal entity for our banking activity in each Nordic country for banking activity.” She goes on to outline that, while Nordea’s aspiration is to become a “European” company, in the sense of being one legal entity across the continent, the process of achieving this is complicated. “We are still on our journey towards this, we have worked with that issue for, well, I think the past three years, so it’s not a quick fix, that’s obvious. So today we operate from separate legal entities – meaning we have challenges with all these different interpretations of MiFID.”

Data Security

Nordea know better than most the risks associated with data storage and security. In January it was revealed that 250 of its customers had fallen victim of what has been described as the biggest online heist ever. Over a 15 month period between seven and eight million Swedish Kroner was stolen, after customers gave their account details to fraudsters using an email virus. Although the fraud was the result of compromised customer information rather than bank systems, we steer the conversation towards Nordea’s approach to securely managing its data.

“It’s easy to see that information security in general is perhaps the most important risk management issue a bank has today,” she says. For Lohse this is an area both the business areas and IT need to tackle jointly. “Evidently the business areas and the business managers have the knowledge of both what customers expect and the specific regulatory requirements. Then of course in IT there is the knowledge of best practice on data protection and management.” Compliance’s role is to support each business area in terms of understanding all the risks involved.

These risk include not just protecting the network, but also the issue of which employees have which level of access to sensitive data, and the way differing bank secrecy rules across borders impact operations. “We can’t exchange information cross-country like we would like to because then we would not follow bank secrecy rules,” Lohse says. “But none of this is new,” she continues, “these are the necessary restrictions and routines long since built into our IT systems, and also into the minds of our IT staff – the guys and girls who are running the systems.”

But given the fragmented cross-country nature of the operations, doesn’t this cause frustration for Nordea as business, as it can’t extract as much value from its customer data as it might like? For Lohse this is something only the business itself could answer. “How do the business areas see the infrastructure? I’m not sure I could answer, it is of course the only thing I see, and of course data protection and access, and safeguarding bank secrets is basic stuff for the industry. It’s something we have in our bones.”

Corporate social responsibility

Unusually for the financial services, Nordea’s compliance function takes the issue of corporate social responsibility (CSR) under its remit. Is this something that fits well with compliance? “When it comes to business ethics, this fits quite well with compliance – the stress on educating employees on ethics and so forth,” she argues. “But then when it comes to other social responsibilities you could claim that it is sometimes a totally other cup of tea than compliance.”

Lohse gives environmental issues as an example that doesn’t fit neatly into a compliance box. “We have global warming on our table – a challenging and interesting issue. But of course for a bank lots of this issue is a question of risk management – we have to recognise say a risk in our customers environmental activities, as it might turn into a totally other kind of risk for us,” she says

How does this impact on the bank’s operational tool set we ask, is Nordea now bringing in an environmental assessment of customers for example? The answer is an affirmative. “Definitely. Tools in our lending process, tools for identifying what in the customer’s business setup that could present an environmental risk or challenge for the customer.” And of course through this risk management approach, perhaps Nordea can play its part in driving better environmental practice.

Future challenges

Looking beyond 1 November, when if things go according to plan the business around MiFID’s implementation should ease, what, we ask, does Lohse think are the big challenges facing the European industry? For Lohse, the volume of regulations coming through the system is an issue that could be addressed. “I guess that many people have said this many times, but we are facing an increasingly complex regulatory environment, and this adds to the complexity of doing business,” she suggests.

For the Nordic region, with its tradition of principle based regulation, prescriptive regulations are having a disproportionate impact, with their detailed requirements. “It sometimes feels like we are being overwhelmed,” she says. For Lohse, there needs to be a move back towards principle based regulations to leave some time for “business making”.

Does she see any let up in these regulatory pressures anytime soon? “If you look at the EU financial service action plan over the last five years or so, it was an extremely ambitious plan. The Commission has been able to tick off, I think 40 of the 42 initiatives. We’ve seen this and just had to digest it and act accordingly. But it might be that after another two or three years that everything falls into place¬ – if that is the situation then I think there is nothing really to worry about.”

But what if there is no let up and another 42 priorities appear on the regulatory agenda? It’s not an outcome that Lohse finds any great enthusiasm for. “It’s not just the impact on business operations, but the very process itself that is time consuming,” she muses. “The transparency and openness of the legislative program is good, but I mean, all of these public hearings and consultations you have to take part in if you want to have a say. When you have a massive amount of it, people just get tired.”

Although not something she is looking forward to, Lohse is philosophical about the prospect of another legislative program, perhaps she suggests around Corporoate governance. “The industry has been saying for the past five years we need more principle and evidenced based legislation – it’s easy to say, but it’s more easily said than done.”