Lee Werrell, CEO of ComplianceConsultant.org, Gets Back Down To Basics
The regulators accept that managing compliance risk is complex and demanding, but they are also keen that firms need to have a clear understanding of the role of regulatory compliance and managing risk. Irrespective of how compliance is structured within any firm, it should be both independent and challenging, to ensure that the firm’s regulatory and compliance risks are effectively managed.
The compliance function will be continually evolving against the backdrop of regulatory change and risk emergence – and in line with FCA expectations. Recent enforcement action should serve as a significant warning to CF10s and their executive colleagues that they can (and will) be held personally responsible for any failures in their firm’s systems and controls.
However, it remains important to maintain the right balance between providing guidance to the business line management and applying robust and effective monitoring activities. Increasingly, firms are developing compliance structures that assume both an advisory and monitoring role.
Robust Compliance Monitoring
Compliance departments must take responsibility for identifying and managing the regulatory compliance risks to which the business is exposed. The design and implementation of a robust compliance monitoring programme would typically involve:
- Designing a regulatory risk “footprint” or “overlay” for the firm;
- Providing support as well as challenge for the first line defence in respect of the completeness and accuracy of compliance risk management activities, including identification and measurement;
- Providing the Board, business units and approved persons with advice, evidence and assurance and that the firm is meeting its regulatory obligations and on the creation and implementation of the firms regulatory compliant governance;
- Monitoring the organisation’s compliance with relevant laws and internal risk policies; and
- Accurate reporting and interpretation on compliance matters that warrant the attention of the Board and other SIFs.
The recent focus on Conduct Risk – aligned with FCA expectations, as well as a true commitment to treating customers fairly – underlines the point that any compliance monitoring should be focused on positive and fair outcomes for customers, and not just on processes. This focus should not just be on the sales process or financial promotions, but should include the entire customer journey.
So Who Is Responsible For Compliance?
Unlike IT, finance or administration, the question of who is responsible for compliance in your firm has many answers. It is not simply a case of the compliance officer being responsible for compliance within the firm as compliance is a far reaching discipline and like risk – rather, the responsibility for the attainment of compliance rests with the entire staff, and as directed by Senior Management.
It could be argued that the compliance department should not actually exist in any firm, since treating compliance as the responsibility of the entire staff would relegate the monitoring of compliance to internal audit, in larger firms, or to the executive function in smaller firms.
The regulator leaves no doubt about the role of senior management in enforcing the rules: “A firm’s senior management is responsible for ensuring that its business complies with regulatory requirements.” And the FCA’s Enforcement Guide says in paragraph 2.31 (Senior Management Responsibility, http://tinyurl.com/oa8kz9y): “The FCA is committed to ensuring that senior managers of firms fulfil their responsibilities. The FCA expects senior management to take responsibility for ensuring firms identify risks, develop appropriate systems and controls to manage those risks, and ensure that the systems and controls are effective in practice.”
In fact, if you scoured the FCA Handbook’s you would find that it does not state in any handbook that the compliance officer or the compliance department are “responsible” for compliance. You’d be hard-pressed to find any official regulatory references to anyone called the compliance officer. Only in the financial services world could we have such an ill-defined role, giving rise to such a massively resourced profession as the compliance industry.
Although everyone is responsible for a firm’s compliance, it is the role of compliance management to have developed appropriate compliance and risk management information to identify and assess relevant risks to ensure the firm is delivering fair outcomes for customers.
A helpful definition of the role of compliance could be:“We define compliance within our firm as the function of identifying relevant legislative, regulatory and best practice requirements and then implementing the required changes to our systems and controls to facilitate adherence to these obligations on an ongoing basis.”
What Are The Benefits Of Compliance?
That’s not such a silly question as it might sound. It never hurts to ponder the reasons why we have to deal with these things.
Fundamentally, the detailed regulatory compliance rules are aimed at ensuring that customers get a fair deal and are fully aware of all risks, benefits and challenges involved in the execution of their order or investment planning. Basic business sense would dictate that if we serve our customers well, they are likely to remain happy and less likely to complain or enter litigation.
Improved systems, including the customer focused rules of reporting, customer agreements, notifications etc. mean that the service you provide is more transparent to the onlooker and therefore more credible and dependable.
By maintaining a firm’s integrity and fairness to its customers not only increases loyalty will also lead to referrals of other quality customers and for a long term view provide a sustainable competitive advantage.
Ultimately the fair treatment of customers, transparent procedures and processes as well as full disclosure and explanation will need to increase profit and maintain the firm as a supplier of the financial services long into the future.
Not all regulatory requirements are directly concerned with improving the customer buying experience: many are aimed at enhancing the firm’s internal systems and controls to improve the efficiency of the firm.
It has been long understood that a well-run, well-managed and a robust firm with effective governance systems in place helps identify accountability at all levels and ensure correct apportionment and oversight of the controls in place. This then leads to a wealth of management information to facilitate a successful risk and compliance model feedback loop.
Compliance and efficient internal arrangements means that you are less likely to have to pay out money in fines or to find additional resource to administer your procedures and processes. This also is likely to mean less litigation and the general efficiencies will obviously lead to lower costs.
The stronger and more robust systems and controls in place more often allow for greater leniency under the regulatory capital regimes as long as these can be proven. As with the unsung heroes of compliance saving companies from disaster there is never usually any method that you can clearly say directly saves the company money like a solid, well implemented risk framework.
Reputation is becoming increasingly important in the financial services world, and the FCA have stated they will be looking at ways that can best measure a firm’s reputation and mitigate any negative press it may receive. Compliance involvement in the systems and controls for both business continuity planning as well as crisis management planning can ensure minimal negative and maximum positive emphasis on any reputational impact.
With the increased use of social media and the internet generally, a red flag is waved toward the regulators every time your company is mentioned in a bad light. If you can show that your systems and controls are effective whenever these instances occur it is more likely that you will have a light touch approach from the regulators if they were to make enquiries. Just because you don’t know what people are saying about you online, doesn’t mean there are no issues.
The main benefits to your firm can and often will be hidden amongst the commercial crises that form the peaks and troughs of normal operation within any firm. This is why it is vital to keep a log of all advice, questions, queries, recommendations and other responses that you may come across on a day-to-day basis. An additional benefit of keeping this log is that it provides an audit trail as well as justification for the effectiveness of the department and shows the involvement within the culture of the company.
Your knowledge of rules and the rulebooks combined with knowing the regulatory hotspot and the industry friction areas gives you the information to guide your firm through the annual business plan in a compliant way with little expectation of regulatory scrutiny, poor reputation or other such associated compliance horrors.
Operating a clear, straightforward and effective complaints department helps protect our firm from vindictive and irresponsible customers who sometimes enjoy malicious acts that will waste management time and cause unrest among staff. This also provides another area for the Compliance Manager to justify the work that is conducted by providing good management information on financial promotions and complaints, elements which are often taken for granted or overlooked by the rest of the staff unless they are directly involved.
In summary, what compliance functions do is often hidden or simply invisible from general perspectives and often considered an expensive necessity. Whether generally well run or no resulting issues does not mean we should not review its effectiveness. To do this properly, we have to know our own definition of compliance and identify the impacted areas and the boundaries of that impact within the firm.