Governance and compliance procedures are often taken for granted in marketing — until they fall down. But what happens when risk and compliance procedures go wrong?
Imagine a financial institution launching a lead generation campaign in partnership with a high-end retailer at a business event and sharing those leads. Consent is obtained on some event collateral, but not on others. Then the retailer suffers a data security breach, leaving hundreds of high net worth individuals wondering how their data got out. Europe’s General Data Protection Regulation and other privacy rules put the burden of proof on businesses to show that all the customers at that event consented for that information to be shared.
Consumers are showing more concern about what’s happening with their data: complaints to Britain’s Information Commissioner’s Office (ICO) about potential data breaches have more than doubled since GDPR regulations came into force in May 2018.
And the compliance stakes that brands are playing for are high: companies found to breach GDPR rules can be fined up to €20 million (£16.5m) or 4% of their worldwide turnover.
Then there is the clean-up after a breach has occurred: in Australia, for example, the big 4 banks are facing new costs amounting to A$2.4 billion to clean up after years of compliance failures and misconduct.
That includes an estimated $1.1 billion to pay for new compliance programs that regulators will demand over the next 3 years, and $1.3 billion for ongoing fines and customer remediation programs expected to run until 2020, according to Morgan Stanley.
Many of these were the result of a banking culture seen to value profit above all else. But that profit is now under threat. Already, the big four have seen their aggregate profits drop 5.5% in the past financial year, down to $29.49 billion. Hiring freezes and restructures targeting cost-savings are now widespread as banks look for ways to recoup those costs.
Marketing teams within the financial services industry are finding themselves front and centre during the compliance and clean-up process. It’s too easy to cause a breach that could have serious consequences in the current regulatory climate.
Who hasn’t come across an instance of a carefully crafted email whose content went through the correct compliance procedures but was mistakenly distributed to the wrong list? It happens all the time. But it can have serious consequences.
Imagine a case in which sending an email to the wrong list results in a financial institution offering new credit products to customers that have notified that institution they have a gambling problem — and it’s clear how serious the ramifications can be.
So it’s more critical than ever for marketing teams to ensure all their marketing risk and compliance procedures are watertight.
There have traditionally been 3 lines of defence when it comes to structuring a Marketing Risk and Compliance program: Marketing, Legal and Risk, and Audit.
But perhaps the industry would be better served by tapping technology to strengthen this framework. We can now identify 5 lines of marketing risk and compliance defence.
The first line of defence is the key to success. Marketing must be fully responsible for all the risks in its area and ensure that effective controls are in place to protect against them. Marketing, with the assistance of the second line, should develop and implement a Marketing Risk and Compliance Program. But Marketing is the owner of the program and must ensure that all work goes through the right checks and is formally approved before it hits the market.
The second line of defence works with and supports the first line. Legal and Risk reviews and advises on individual materials based on regulatory requirements. They should also support the continued implementation of the program and supervise how it is applied, as well as provide the advice necessary to integrate business changes into the key processes. If regulations change, for example, Legal and Risk must track those changes and provide the most current information – and how it affects your company — to the Marketing team. And your Legal and Risk teams need to sign off on the relevant marketing materials before they are sent out.
Even with a robust marketing risk and compliance program to ensure correct the checks and balances are in place, it’s easy for errors to creep in. For example, after multiple rounds of amendments, it can be hard to ensure the correct version of a piece of marketing content was actually the piece that went to market. The right marketing compliance tools can automate much of this process, informing marketing risk and compliance when new assets need to be approved, keeping approved content and feedback from risk and compliance together in one platform and one communication stream, so that it’s always clear when compliance hurdles have been passed; and identifying the correct asset for distribution. If disclaimers need to be updated, for instance, these may be updated once in the compliance tool and applied where relevant thereafter, ensuring current regulations are observed.
An internal audit function, which operates as a check and balance on the marketing risk and compliance program, is traditionally the final line of defence. The role of audit is to ensure policy has been followed for the overall process. Ideally audits should be conducted by a separate team scrutinising random data at set intervals. They are responsible for the quality control of the business processes surrounding marketing and ensure that they are consistently applied to guarantee continuity of operations. The more robust your internal audit, the better the chances you’ll pass next time your official auditor — or the regulator — comes knocking.
Companies, particularly those working with distributed teams, franchisees or external agents, are on notice that they must take every possible step to ensure that those representatives observe marketing and regulatory policy; but oversight is often more difficult. Artificial intelligence can now be harnessed to help streamline and reduce daily compliance burdens, and even to predict in near-real time when they are in danger of being breached. AI can be applied to complement the spot-checking practices of internal audit teams and provide an additional line of defence, particularly when it comes to third-party relationships with external agents: for example, natural language processing can be enlisted to evaluate emails and other communications to ensure they adhere to the rules; and repeated breaches can quickly be identified and remedied.
With all marketing teams disseminating messages across more and more channels to market, the volume of material that needs to be reviewed is growing at an exponential rate. Intelligent marketing resource management technology with built-in compliance controls can be used to disseminate pre-approved marketing materials and to maintain compliance processes internally, as well as with external agents. Technology can be used to amplify the impact of valuable marketing risk and compliance teams, capturing and generating learnings and bringing significant issues to the attention of compliance executives in near-real time. Above all, intelligent and automated marketing compliance tools add additional lines of defence to the traditional marketing risk and compliance frameworks.