One survey revealed that half of the bank respondents spent 6% to 10% of revenue on compliance.1 Another report estimated that compliance operating costs at retail and corporate banks increased by over 60% in the eight years following the financial crisis of 2008–2009.2 In 2021 large public companies averaged $1.3 million annually for internal costs related to compliance with the Sarbanes-Oxley Act (SOX).3 And manufacturers pay almost $20,000 per employee to comply with U.S. federal regulations.4
Noncompliance is costly. In 2021 regulators enforcing the European Union’s General Data Protection Regulation (GDPR) assessed fines totaling $1.25 billion, with Amazon topping the list, at €746 million.5 Penalties for failure to properly protect against consumer data breaches have grown steadily across all regions, with Chinese firm Didi Global recently topping all previous fines, at $1.19 billion.6
Violations of the U.S. Health Insurance Portability and Accountability Act (HIPAA) run into the billions annually.7 One example: Anthem paid a record $48.2 million to state and District of Columbia regulators and $16 million to federal regulators, all relating to a cyberattack dating back to 2014.8 Failure to comply with the Payment Card Industry Data Security Standard (PCI DSS) can result in fines ranging from $5,000 to $100,000 monthly.
Meanwhile, new regulations continue to add to compliance complexity and costs. The U.S. Securities and Exchange Commission (SEC), for example, is proposing new requirements for climate-related financial data9 and other issues in the environmental, social, and governance (ESG) arena.