www.pwc.com/fsi
Making the grade:
How financial institutions can
improve compliance testing
How do financial
institutions plan to
improve their
compliance testing
programs? We asked.
Here is what they said.
The heart of the matter
According to our 2015 Financial Services Compliance Testing
Survey, most financial institutions are improving their
compliance testing programs, but more work remains to be done.
In our view, to “make the grade,” financial organizations should
focus their efforts on aligning the testing that occurs across the
three lines of defense, addressing resource constraints, and more
fully leveraging technology and data analytics.
Compliance testing is a critical element of
every financial institution’s compliance
management system (CMS). A program of
testing compliance and controls includes
testing that occurs at the business-unit level
(first line of defense), within the compliance
function (second line of defense and the
focus of this paper), and by internal audit
(third line of defense) (see Figure 1). Such a
program provides an institution with the
information necessary to monitor its
compliance risk exposure and self-correct as
necessary. It also helps regulators assess an
institution’s compliance and determine if its
CMS meets regulatory expectations.
About PwC’s 2015 Financial Services Compliance
Testing Survey
We surveyed a broad cross-section of compliance testing executives
(who oversee risk) within the financial services industry. Nearly
80% of the respondents are headquartered in the US, and 44%
operate globally. Firms ranged from USD 7 billion in assets to more
than USD 250 billion.
Since 2008, financial institutions have
invested heavily in the development of
compliance testing and other processes to
help ensure compliance with new and more
extensive regulatory requirements. Despite
that progress, PwC’s 2015 Financial Services
Compliance Testing Survey shows that 77%
of financial institutions plan to still do more
by expanding their compliance testing
activities within the next two years.
Institutions cite a variety of factors that
contribute to the need for expansion:

Increasing regulatory expectations
related to compliance testing.

Ongoing changes in laws and regulations.

The need to increase the effectiveness of
the testing function.

Growth and/or changes in business
activities.
Responding institutions engage in consumer banking (81%),
commercial banking (78%), wealth management (63%),
treasury/securities services (59%), asset management (50%),
capital markets (50%), private banking (50%), and investment
banking (34%).
The number of full-time equivalents (FTEs) in the compliance
testing function was reported as less than 10 (34%), 11 to 60 (48%),
61 to 100 (8%), to more than 100 (10%).
Making the grade:
How financial institutions can improve compliance testing
1
In our view, most financial institutions have
a long way to go to “test smarter.” Survey
participants cite a variety of shortcomings,
ranging from an inability to complete their
testing on a consistent basis to not being
able to do some fundamental testing
activities at all. And only 25% of participants
report that they leverage data analytics as
part of their testing, meaning most financial
institutions currently forego a critical tool
for improving the insights revealed by
testing.
We believe these three approaches can help
institutions more effectively and efficiently
meet their compliance testing objectives.
This can translate into decreased potential
for future non-compliance issues and
reduced operational and reputational risk,
which, ultimately, may lead to better
operational and strategic business decisions.
In this paper, we discuss the challenges
financial institutions face and the
approaches that we believe can help. Among
them are better aligning and coordinating
testing across the three lines of defense,
more effectively addressing resource
constraints, and better leveraging
technology and data analytics.
Figure 1: The three lines of defense each play a role in effective compliance
controls, but it is critical to clearly define roles and responsibilities.
Making the grade:
How financial institutions can improve compliance testing
2
An in-depth discussion
As the regulatory landscape
continues to evolve,
expectations continue to rise

In recent years, regulators have increasingly
looked for financial institutions to meet
actual compliance requirements, as well as
have a robust, high-functioning CMS that
includes compliance testing. For example,
for financial institutions that are regulated
by the Federal Reserve, Supervisory Letter
SR 08-8 describes expectations around
CMSs, including the need for effective risk
assessment, monitoring, and testing
programs. SR 08-8 also indicates that
“robust compliance monitoring and testing
play a key role in identifying weaknesses in
existing compliance risk management
controls and are, therefore, critical
components of an effective firmwide
compliance risk management program.”1
Other regulators also view compliance
testing as a critical element of a financial
institution’s CMS.
When asked to identify the top three steps
they plan to take to further develop the
compliance testing function, survey
respondents told us that they plan to:
Top challenges in expanding
the compliance testing function
52%
of survey respondents
cite availability and
retention of staff as one
of the top three
challenges in
compliance testing.
Financial institutions continue to face
challenges related to their compliance
testing programs. When asked to identify
the top three challenges:

52% of respondents cite issues with
availability and retention of staff
resources.

41% point to the difficulty of getting
buy-in and cooperation from the lines of
business.
………………………..…..…
1
Federal Reserve, Supervisory Letter SR 08-8, “Compliance
Risk Management Programs and Oversight at Large Banking
Organizations with Complex Compliances Profiles,” October
16, 2008, www.federalreserve.gov.
Making the grade:
How financial institutions can improve compliance testing
37% report an issue with achieving
efficiencies among enterprise-wide risk
assurance functions.

Upgrade the skill and knowledge levels
of compliance testing personnel (92%).

Achieve greater collaboration within and
among the three lines of defense testing
functions (88%).

Increase the number of compliance
testing personnel (84%).
We generally agree that these are good
places to start. For example, increasing the
numbers and skill levels of testing staff can
help address regulatory expectations. And a
strong focus on collaboration among the
testing functions—on properly aligning their
roles and responsibilities—can help gain
buy-in from business stakeholders by
minimizing testing redundancies. Both can
also help improve efficiency among
enterprise-wide risk assurance functions.
However, in our view, an additional step can
further improve the effectiveness of a
compliance testing program in achieving its
objectives: increasing the use of technology
and data analytics. Based on survey results
and our industry experience, we see that
many institutions could benefit from making
better use of technology and data analytics.
In the discussion below, we take a deeper
look at the challenges related to better
aligning and coordinating testing across the
three lines of defense, more effectively
addressing resource constraints, and better
leveraging technology and data analytics.
3
Misalignment among the three lines of
defense
Our survey reveals that most financial
institutions (90%) currently have their
compliance testing function within the
second line of defense in a formal “three
lines of defense” structure. Typically, the
second line of defense has primary
responsibility for establishing and
maintaining an enterprise-wide compliance
program, whereas the first line conducts
process-level testing and the third line
reports on the overall effectiveness of the
compliance program.
Yet many financial institutions continue to
struggle with aligning and coordinating the
compliance testing that occurs across their
three lines of defense. Fewer than half of
survey respondents report a close level of
engagement and coordination between the
second and third lines of defense, which can
result in communication gaps, high-profile
redundancies, and potentially confusing
inconsistencies in reporting. In addition, our
observations show that the first and second
lines of defense frequently wrestle with
many of the same challenges, yet they are
often in different stages of development and
operate in silos. This makes it difficult for
these functions to coordinate their activities
or share knowledge.
Too often, leadership has not adequately
communicated to business-line and processlevel owners the nature, purpose, and timing
of testing activities. In addition, they haven’t
taken the time to appropriately coordinate
the different types of testing performed by
the respective lines of defense.
These misalignments help explain why
business-unit leaders contend that their
groups are experiencing “testing fatigue,”
that first-line testing requirements are a
drain on their resources, that the separate
lines of defense seem to test the same things,
and that all this oversight comes on top of
regulators’ examinations. Unwarranted
Making the grade:
How financial institutions can improve compliance testing
testing pressures on business operations
could have widespread negative effects,
including productivity losses, as well as
impact on customers.
In an effort to reduce testing fatigue, leadingedge financial institutions are taking
advantage of lessons learned around aligning
their lines of defense as they embrace a
centralized approach to testing. However, both
a lack of definitive regulatory guidance on
first- and second-line testing and a widespread
scarcity of qualified personnel remain
challenges for many organizations seeking to
duplicate their accomplishments.
Staffing resource constraints
Financial institutions across the industry
report a significant shortage of professionals
(such as compliance officers and audit
specialists) who have the requisite
compliance and business knowledge, as well
as sufficient experience to thoroughly
support compliance testing programs. Our
survey finds that 90% of respondents are
challenged by a lack of qualified candidates
in local markets, 83% by competition for
high-demand skills among financial
institutions, and 70% by budgetary
constraints.
In our view, training is only a partial
solution. Although a large majority of
organizations do provide professional
training for their compliance testing staff,
45% do not require a minimum amount of
ongoing professional training relevant to
staff members’ responsibilities. Further,
only 53% of financial institutions perform a
compliance competency/skills assessment to
determine whether their training programs
are delivering the desired results.
These staffing limitations can have serious
consequences. One financial institution, for
example, observes that it should have 12 to
14 full-time employees in compliance testing
but currently has only six, including four
who are new. Another survey respondent
4
reports that low-risk and certain moderaterisk testing requirements often are not
tested for long periods of time.

While banks should continue to recruit and
train essential staff, more needs to be done.
Among respondents, 84% plan to increase
the number and/or level of their compliance
testing resources and 20% plan to use
external co-sourcing options to develop,
pilot, or support various components of
compliance testing. Respondents cite the
following top needs for choosing to use
external expertise and staffing resources:
Limited use of technology and data
analytics

Specific regulatory compliance
knowledge.

Expertise in regulatory environments
and expectations.

Rapid expansion of staff capabilities.

Execution of testing activities.
Leveraging third-party solutions in areas
such as enhanced data analytics and
automated testing.
As shown in Figure 2, our survey reveals that
only 25% of respondents have implemented
and continue to enhance their data analytics.
Thirty-two percent report being in the
implementation stage, while another 32%
are in the early planning stage. Eleven
percent say they have rarely or never
performed data analysis and have no plans
or limited plans for further development of
data analytics.
Figure 2: Which stage of evolution best represents your use of data/data analytics?
Making the grade:
How financial institutions can improve compliance testing
5
Financial institutions cite the following
reasons most frequently for why they have
not yet fully implemented the use of data
analytics:
86%
of respondents state
that the compliance
testing team does not
have dedicated IT
personnel.

Lack of sufficient IT expertise within the
compliance testing group (54%).

Insufficient development of IT systems
or applications that support compliance
requirements (54%).

Lack of technology tools within the
compliance testing group (46%).
Senior executives are demanding better
testing capabilities, too, not just to meet
regulatory demands but to take advantage of
the vast amounts of data now available. This
data can help executives make better, more
informed business decisions that more
accurately reflect the risks their institutions
face. The intelligent use of data needs to be a
priority, not only to improve compliance
testing but also to meet customer
experience, growth, and enterprise
objectives.2
Not surprisingly, even when financial
institutions are deploying data analytics,
their capabilities tend to be at a lower than
ideal maturity, and they are not keeping
pace with innovative technology
developments. As an example, the results of
data analytics are delivered primarily
through static reports at many institutions.
Frequently, internal IT resources are not
sufficient in number—or they lack the
specific skills needed—to drive innovation
and successfully implement leading-edge
solutions. In addition to compliance teams
lacking sufficient IT skills (as mentioned
above), 86% of survey respondents report
they do not have dedicated IT personnel on
their compliance testing teams and only 29%
expect to invest in the near-term in
compliance testing software.
………………………..…..…
2
Making the grade:
How financial institutions can improve compliance testing
For more information, see PwC’s “The extra mile: Risk,
regulatory, and compliance data drive business value,”
April 2015, www.pwc.com/fsi.
6
Our recommendations
At a high level, a leading compliance testing
program should have an end-to-end,
automated, controls-based operation that
allows for full population testing and realtime monitoring. It should leverage data
analytics and, with the three lines of defense
in strategic alignment, take full advantage of
available resources. We encourage financial
institutions to complete a self-diagnostic
assessment to identify gaps in current
compliance testing processes and
procedures.
Improving alignment among
the three lines of defense
To aid in the reduction of gaps and
redundancies in operations, we recommend
that financial institutions develop a
coordinated approach to compliance testing
by establishing a formal policy for key
stakeholders across the three lines of
defense. The policy should detail
communication, planning, execution, and
reporting, with an approach that focuses on
enhancing the depth of insight into the risktaking functions and improving the
aggregation and evaluation of risk data at
the enterprise level.
The policy should begin by articulating the
role and value proposition of each risk
management function across the enterprise.
A foundational next step is to agree on and
then establish an integrated, three-tiered
testing approach that demonstrates effective
coordination and optimizes resources. Such
a policy should recognize and leverage the
relative strengths and weaknesses of testing
within each line of defense.
Making the grade:
How financial institutions can improve compliance testing
For example, while the business lines lack
independence, they are closest to the facts of
the business and most able to respond to
test results in real time. In contrast, both
compliance and internal audit provide an
independent perspective. They can also
validate and build on testing done at the
adjacent level of defense, rather than
duplicating testing efforts.
When organizations seek to optimize the
allocation of skills and resources among the
lines of defense, we see a clear trend toward
further shifting the responsibility for risk
assurance appropriately to the business and
compliance risk owners. This requires
upskilling of first- and second-line testing
resources and puts risk mitigation in a
better, more cost-effective position within
the overall organization. Control deficiencies
and violations should be identified at a
much earlier stage, lessening the need for
extensive audit resources and costly
mitigation. Additionally, the second line of
defense should ensure that testing activities
conform to professional standards to allow
for reliance by the third line.
A policy that seeks to integrate the three
lines of defense should also include welldefined and meaningful metrics. These
metrics should define what success looks
like and map the program from the initial
stages to full implementation. Organizations
should reinforce the benefits of a wellcoordinated three lines of defense structure
by measuring and communicating
expectations. Such an approach should align
with regulators’ expectations and, more
importantly, provide value to shareholders
in terms of risk mitigation cost.
7
Managing resource limitations
Although it can be difficult, financial
institutions should address the
challenge of staffing their compliance
testing functions by doing the
following five things:
1. Establish a leading-edge testing function
to promote the idea that compliance testing
is a desirable career opportunity. To increase
attractiveness, start by defining desired
behaviors, working practices, and
supporting attributes of the future-state
culture, and then compare these against
existing ways of working to highlight gaps
and identify needed changes. Then, once
new expectations are communicated,
consideration should be given to talent
retention programs, as well as to training,
reward, and performance management
programs. This will identify and concentrate
resources on those programs the
organization would like to retain. For
example, financial institutions should offer a
highly competitive compensation and
benefits package while also considering
other initiatives, such as offering attractive
“tours of duty” for compliance personnel.
Making the grade:
How financial institutions can improve compliance testing
2. Consider the next generation of
compliance leaders and the need to bring
many additional people into the compliance
testing function, because current leaders
tend to hold a good deal of tenure. When
looking for top talent, consider the following
key factors:

Business and regulatory insight,
including an ability to leverage a deep
understanding of the business’
operational processes and regulatory
expertise to translate regulatory
expectations into business impact.

Collaboration, including an ability to
build strong, trusted relationships with
regulators and key business and
operational leaders, as well as to
facilitate alignment among key
constituents in all three lines of defense.

Technology and advanced analytic skills,
including an understanding of
governance, risk, and control (GRC)
technology, as well as the ability to
analyze data and deliver a data-driven
perspective to manage risk and meet
customer experience, growth, and
enterprise objectives.
8
3. Require a minimum amount of ongoing
professional training relevant to staff
members’ responsibilities. Financial
institutions should perform a compliance
competency/skills assessment to determine
whether their training programs are
delivering the desired results.
4. Develop a strong technology program,
including the use of data analytics and
automated testing to reduce overall staffing
needs and develop more non-traditional skill
sets, such as information technology
experience.
5. Complete a cost-benefit analysis and
determine whether co-sourcing testing
activities with third-party specialists who
have already established their own center of
excellence could help reduce operating costs.
Co-sourcing specialists can provide
personnel with advanced skills and expertise
that can improve the overall quality and
efficiency of testing (see Figure 3). To
illustrate, the case study on the next page
describes how one global bank reaped
benefits from employing a co-sourcing
arrangement.
Figure 3: When completing a cost-benefit analysis to determine whether to
co-source, four key elements should be considered.
Making the grade:
How financial institutions can improve compliance testing
9
Enhancing compliance monitoring and testing through co-sourcing
As a result of regulatory concerns, a bank’s compliance group needed to increase its testing
sample size when conducting compliance controls monitoring and testing. To help manage
the increased workload, the bank sought a third-party co-sourcing team to assist in
developing a front-end monitoring plan. Using subject-matter specialists and service
delivery center capabilities, the co-sourcing team helped the bank develop a plan to complete
its compliance monitoring and testing program by:

Assisting with overseeing and reviewing daily monitoring activities

Managing impact from regulatory changes

Performing data-mining functions

Implementing a robust quality control process

Leveraging advanced data analytics to implement data-mining improvements
As a result, the bank reduced costs and transformed its “business-as-usual” compliance
testing process into a more proactive, risk-based process that centers on continuous
improvement, all of which helped resolve regulator’s concerns.
Leveraging technology and
data analytics

Identification of outliers/out-ofcompliance exceptions.
We recommend that financial institutions
integrate information technology into their
compliance testing processes and invest in
initiatives to develop advanced data
analytics.

Targeted testing based on data risk
analysis.

Whole population testing to reduce
reliance on sampling and provide deeper
insight.

Analysis of results and enhanced
reporting.

Root-cause analysis to implement
remedial action and enhance risk
management practices.
As we discuss in “Let’s make a difference:
Managing compliance and operational risk
in the new environment,” financial
institutions should use data analytics as a
tool to both prevent compliance failures and
manage risk more efficiently and costeffectively.3 In our view, a strong data
analytics program for risk identification,
testing, and reporting consists of the
following activities:

Analysis of large samples/evaluation of
relationships among the testing
population.
Financial institutions should also use
technology to automate testing processes
that are standardized, repeatable, and costeffective. One way to accomplish these
testing objectives is through a larger
upgrade of the company’s GRC
infrastructure.
………………………..…..…
3
PwC, “Let’s make a difference: Managing compliance and
operational risk in the new environment,” August 2013,
www.pwc.com/fsi.
Making the grade:
How financial institutions can improve compliance testing
10
Financial institutions can implement GRC
technology to configure their testing
programs’ policies, standards, and
associated workflows to guide a user
through all required activities, which we
discuss in more detail in “Getting tactical–
Improving enterprise resiliency with GRC
technology.” GRC technology can automate
these tasks so that compliance managers can
focus on data quality, risk transparency, and
strategic planning.4
To be successful in these efforts, institutions
should work with key stakeholders as part of
an enterprise-wide effort, or they can also
pilot discrete initiatives to deliver early wins
and build support for further change. Where
in-house expertise is not up to the task,
institutions should leverage external
resources to help develop, implement, and
pilot advances in data analytics while
upgrading the skill sets of their internal
personnel.
We also suggest utilizing a GRC platform, in
which data is consolidated into one
repository, because this can enhance the
organization’s capability to develop more
advanced data analytics.
………………………..…..…
4
PwC, “Getting tactical–Improving enterprise resiliency with
GRC technology,” April 2015, www.pwc.com.
Making the grade:
How financial institutions can improve compliance testing
11
Sample “health check” assessment
We encourage financial institutions to grade themselves regarding their current compliance testing processes and
procedures. Figure 4 provides a “health check” or self-analysis that financial institutions can use as part of this
assessment.
The answers to the “health check” assessment can be the starting point for developing a plan for improvement, one
that focuses the organization’s use of time and resources. The “health check” assessment can also help build the
business case for change.
Figure 4: Questions financial institutions should ask themselves.
Making the grade:
How financial institutions can improve compliance testing
12
What this means for your business
Financial institutions are making progress
toward creating a stronger, more effective
compliance testing function, but many
organizations remain constrained by both a
lack of clarity around the appropriate testing
model and a scarcity of personnel with the
requisite skills. In this environment,
organizations should seek to leverage the
benefits of a centralized testing approach by
better aligning their three lines of defense,
better managing their use of resources, and
leveraging technology and data analytics.
Improving transparency and alignment
among the three lines of defense. By better
aligning the three lines of defense, it can
become easier to share lessons learned about
compliance and risk issues across the
institution. Better alignment can improve
overall risk management and position the
enterprise to meet the ever-increasing
demands of both regulators and internal
stakeholders. More effective first and second
lines can also result in a seismic shift,
thereby reducing the third line’s need for
“back-fill” testing at lower levels and
allowing that line to focus more on
enterprise-wide perspectives. Finally, it also
reduces testing fatigue, which results in
improved productivity and employee morale
in both business and testing functions.
Managing resource constraints. By taking
steps to create a leading-edge testing
function, organizations promote the idea
that compliance testing is a desirable career
opportunity, which in turn allows for
improved attraction and retention of highquality, motivated staff. They can also
achieve a targeted re-allocation of staff by
increasing the use of data analytics and
automated testing and by training talent on
both business and regulatory perspectives.
When institutions lack the human or
technical resources necessary to accomplish
Making the grade:
How financial institutions can improve compliance testing
these goals on their own, co-sourcing with
an experienced third party can efficiently
bridge the gaps as co-sourcing teams are
often called upon to serve multiple clients
with far-ranging needs. Additionally, such
third party personnel typically have the
requisite subject knowledge and experience
in virtually every applicable regulation,
whereas many financial institutions find it
difficult to develop and maintain a
comparable level of expertise in-house. The
co-sourcing model also gives institutions the
option to quickly scale up or down the
resources utilized for testing, based on need.
Leveraging technology and data analytics.
Organizations that have embraced
technology and data analytics are now able
to more quickly identify the root cause of
compliance shortfalls and promptly deploy
resources to correct those issues that present
the greatest risk. Automating testing
processes can not only help financial
institutions enhance their overall risk
assessment and testing processes but also
free up skilled personnel who can focus on
areas of higher complexity or higher risk.
To keep pace with trending regulatory
expectations, financial institutions need to
move from a “tick the box” compliance
testing approach to one that develops better,
more nuanced compliance testing programs
and provides increased transparency into
compliance and risk management activities.
Using this approach, financial institutions
can transform their compliance functions
from reactive to proactive teams that are
better able to anticipate risks and prevent
incidents of non-compliance while
supporting strategic business goals. And
those that do so will not merely “make the
grade,” they will likely be at the top of the
class.
13
www.pwc.com/fsi
For a deeper conversation, please contact:
About us
Richard Reynolds
Compliance Testing Leader
(646) 471-8559
richard.reynolds@pwc.com
https://www.linkedin.com/in/
richreynolds1
PwC’s people come together with one purpose:
to build trust in society and solve important
problems.
Michael Walker
Banking Consumer & Corporate
Compliance Testing
(646) 471-7565
michael.t.walker@pwc.com
https://www.linkedin.com/in/
michaeltwalker1
Yoon Chong
Capital Markets Compliance
Testing
(646) 471-6259
yoon.h.chong@pwc.com
https://www.linkedin.com/pub/
yoon-chong/57/63/130
Adam Gilbert
Global Regulatory and
Compliance Leader
(646) 471-5806
adam.gilbert@pwc.com
https://www.linkedin.com/pub/
adam-gilbert/12/902/53b
John Sabatini
Advanced Risk and Compliance
Analytics Services Leader
(646) 471-0335
john.a.sabatini@pwc.com
https://www.linkedin.com/pub/
john-sabatini/28/518/739
Roberto Hernandez
Consumer Finance Group
roberto.g.hernandez@pwc.com
(214) 754-7321
https://www.linkedin.com/in/
robertohernandez1
Joseph DeVita
GRC Technology Solutions
Leader
(203) 539-4186
joseph.devita@pwc.com
https://www.linkedin.com/in/
josephdevitapwc
We would like to thank Janis Czuszak, Andrew Lebensburger,
and Andrey Shperling for their contributions to this publication.
PwC serves multinational financial institutions
across banking and capital markets, insurance,
asset management, hedge funds, private
equity, payments, and financial technology. As
a result, PwC has the extensive experience
needed to advise on the portfolio of business
issues that affect the industry, and we apply
that knowledge to our clients’ individual
circumstances. We help address business
issues from client impact to product design,
and from go-to-market strategy to human
capital, across all dimensions of the
organization.
PwC US helps organizations and individuals
create the value they’re looking for. We’re a
member of the PwC network of firms in 157
countries with more than 195,000 people who
are committed to delivering quality in
assurance, tax, and advisory services. Find out
more and tell us what matters to you by
visiting us at www.pwc.com/US.
Gain customized access to our insights by
downloading our thought leadership app:
PwC’s 365™ Advancing business thinking
every day.
A publication of PwC’s
Financial Services Institute
Marie Carr
Principal
Cathryn Marsh
Director
Kristen Grigorescu
Senior Manager
Follow us on Twitter @PwC_US_FinSrvcs
“Making the grade: How financial institutions can improve compliance testing,” PwC, November 2015, www.pwc.com/fsi.
© 2015 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC
network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information
purposes only, and should not be used as a substitute for consultation with professional advisors.