Compliance Exception Reporting: How It Works
A compliance exception is any activity that violates a rule, policy, or regulation. Compliance exception reporting is the formal process of catching these violations (via surveillance systems), documenting them, escalating to the right team, investigating the cause, deciding on remediation, and tracking resolution. It is not a legal event on its own; it is a workflow. Exception rates—how many violations per million transactions—are used as a barometer of compliance health.
How exceptions are generated
Compliance exceptions come from three main sources:
Automated surveillance systems: Most exceptions are generated by rules running continuously in trading, payments, or transaction-processing systems. A limit is set (e.g., “no single trade can exceed $10M notional”), and every transaction is checked.
- A trader submits an order for $12M. The rule triggers an exception.
- A customer initiates a wire to a sanctioned country. The sanctions-screening rule blocks and logs the exception.
- An options trader breaches their daily loss limit at 3:47 PM. A limit-check rule flags it.
Manual monitoring: Compliance officers review activity that doesn’t fit a simple rule. Did this customer’s transaction pattern change overnight? Is this trade economically sensible? Manual exceptions are less frequent but often indicate deeper problems.
External reports: Regulators, counterparties, or customers report violations they’ve noticed. A customer complains that their order was mishandled; the complaint is logged as an exception and sent to the responsible business unit for investigation.
The exception workflow: From alert to resolution
Most institutions follow a standard workflow:
1. Capture and logging
The exception is logged in a tracking system (often called a “control log” or “exception management system”). The system records:
- Date and time
- Rule violated
- Transaction or actor involved
- Initial severity assessment
2. Triage
A compliance analyst reviews the alert within a set timeframe (often 24 hours). Is this a real violation or a false positive? A trade for $10M and $1 in the same submission might trigger two separate exceptions; one is real, one is noise.
3. Investigation and context gathering
The analyst digs into what happened:
- For a trading exception: Was the trade authorized? Did the trader have the mandate? Was it later cancelled or corrected?
- For a transaction exception: Is there a legitimate business reason? Did the customer have proper documentation?
- For a behavior exception: Has this activity been flagged before? Is there a pattern?
4. Resolution decision
Based on investigation, the analyst decides:
Dismiss: It was a false positive or an authorized variance. Exception closed.
Remediate: The violation occurred but can be fixed. Examples:
- Reverse an unauthorized trade and reimburse the customer.
- Block a customer’s account pending additional due diligence.
- Restrict a trader’s authority to prevent recurrence.
- File a Suspicious Activity Report (SAR) if AML-related.
- Issue a warning to the trader or the business unit.
Escalate: The violation is serious or unusual. It goes to Legal, Risk, or Audit; may trigger external reporting (to regulators); may be documented for regulatory inquiries.
5. Documentation and closure
A summary is written and filed: what the violation was, how it was investigated, what decision was made, and what remediation was applied. The exception is marked closed, and the record is retained (often for 7+ years, per regulation).
Common types of exceptions in financial services
Trading and market conduct:
- Trader exceeds daily loss limit
- Trade submitted without required pre-trade approval
- Trader violates a concentration limit (holding too much of a single stock or sector)
- Order placed to a blacklisted counterparty
- Trade executed outside permitted hours
Payments and transactions:
- Wire to a sanctioned country or entity
- Transaction amount exceeds a threshold without supporting documentation
- Customer transfers to themselves (possible fraud or money laundering)
- Transaction to a high-risk jurisdiction without enhanced due diligence
Account and customer:
- High account inactivity followed by sudden large transactions
- Beneficial owner change not properly documented
- Customer trading after hours without authorization
- Customer opening multiple accounts under similar names (structuring risk)
Regulatory and compliance:
- Advisor without proper licensing making recommendations
- Conflict of interest not properly disclosed
- Unsuitable product sold to a customer
- Required training not completed
Why exception rates matter as a compliance metric
Regulators and boards track exception rates as a proxy for control effectiveness. An exception rate is typically measured as:
- Exceptions per million transactions (common in payments, trading)
- Exceptions per day (for smaller volumes or manual monitoring)
- Percentage of business exceptions (e.g., 2 exceptions per 1,000 accounts opened)
A low exception rate might suggest:
- Rules are working (they catch real violations)
- Staff are compliant (they follow the rules)
A high exception rate might indicate:
- Rules are too strict (many false positives)
- Controls are weak (rules aren’t preventing violations)
- Business environment has changed (old rules no longer fit)
If a trading desk suddenly shows 10x its normal exception rate, compliance investigates. Is there a control failure? Is the trader rogue? Has the market shifted, making old limits irrelevant?
Regulators expect exception rates to be tracked, analyzed for trends, and acted upon. Ignoring a rising exception rate is itself a compliance failure.
False positives and overly sensitive rules
Not every exception alert is real. An order for 10 million shares might be legitimate if the customer is a large fund. A wire to Hong Kong might be routine if the customer is a China-focused investor. Rules that are too sensitive generate noise.
Managing false positives:
- Refine rule thresholds based on historical data (if no customer has ever legitimately done X, the limit can be lower).
- Whitelist recurring, pre-approved transactions.
- Combine multiple signals (e.g., “block only if transaction and new counterparty and unusual time”).
- Regularly review false positive rates; if more than 10–20% of exceptions are false, adjust rules.
A compliance system that cries wolf constantly loses credibility and may miss real problems.
Remediation and preventing recurrence
When an exception is substantiated, remediation aims not just to fix the immediate issue but to prevent recurrence.
Trader exceeds loss limit:
- Immediate: Freeze the position, reverse losing trades if possible.
- Preventive: Reduce the trader’s daily allocation, increase intraday monitoring, require the trader to attend retraining.
Customer transaction to a sanctioned country:
- Immediate: Block the transaction, file a SAR, freeze the customer’s account.
- Preventive: Ensure the sanctions screening rule is working; re-check if this customer was properly vetted at onboarding.
Unsuitable product sale:
- Immediate: Reverse the transaction, refund the customer.
- Preventive: Revise the suitability questionnaire, retrain the sales team, impose a review approval for this product type.
Documentation of remediation is critical. In a regulatory exam, auditors want to see: “We found the problem, here is what we did, and here is how we will prevent it.”
Technology and exception management
Modern compliance teams use:
- Case management systems to track exceptions from alert to closure
- Analytics dashboards to spot trends (Is exception rate by trader rising? Is a rule threshold changing?)
- Workflow automation to route exceptions to the right approver
- Data integration to link exceptions across systems (a customer flagged in one system should be flagged in all)
However, these systems require human judgment. A machine can flag that a customer’s transaction is unusual; only a human can investigate whether it’s legitimate or suspicious.
The relationship to regulatory exams
Regulators (the SEC, FINRA, the Federal Reserve, FinCEN) routinely examine exception logs. They assess:
- Are exceptions being caught and logged? (If a violation occurs and no exception was generated, that is a control failure.)
- Are exceptions being investigated promptly?
- Are decisions documented and justified?
- Are remediation steps reasonable and effective?
- Is the exception rate consistent with risk appetite?
A firm with poor exception reporting—hidden exceptions, delayed investigation, no documented decision—can face regulatory criticism, fines, or consent orders.
See also
Closely related
- AML Onboarding vs Ongoing Monitoring — Compliance monitoring that feeds exceptions when violations are detected
- Suspicious Activity Report (SAR) — A specific type of exception that must be filed with FinCEN
- Market Conduct Compliance — Rules around trading and communications that generate exceptions
- Suitability and Conflicts — Advisor and product-suitability exceptions
- Control Self-Assessment — The broader framework in which exception reporting sits
Wider context
- FINRA — Oversees compliance for broker-dealers; regularly reviews exception logs
- Bank Secrecy Act — Requires institutions to have procedures for identifying and reporting suspicious activity
- Dodd-Frank Act — Extended compliance requirements for financial firms
- Federal Reserve — Examines exception management at banks
- Regulatory Risk — The risk that compliance failures trigger fines or enforcement action