Turning Bad Headlines into Good Compliance: The role of the Compliance Officer in 2018
Monday 26th February 2018
In recent years, the financial services industry has become synonymous with the word ‘scandal’; in 2017, the FCA issued fines totalling £229.5 million to firms and individuals[i]. With every reported failure and fine, a spotlight has been placed on the lack of sufficient challenge Compliance provides to the first line of defence. With the return of mammoth fines from regulators and an ever-evolving regulatory landscape, Compliance departments are now under significant pressure to adapt and move towards becoming a truly independent second line of defence.
The Role of Compliance
Most, if not all, firms employ a traditional three lines of defence model. Responsibilities are divided between these functions as follows[ii]:
Source: Chartered Institute of Internal Auditors, Governance of Risk: Three lines of defence
The number of firms realising the value of investing in a strong Compliance function has steadily increased; effective Compliance functions can prevent infringements and assist with mitigating fines if a violation has been committed. Although it remains the responsibility of the first line of defence to own and mitigate compliance risks inherent to their business, firms must “maintain a permanent and effective Compliance function which operates independently”[iii] and has the necessary authority to ensure that firms are conducting business in full compliance with all applicable laws, rules and regulations.
Compliance functions often experience a lack of engagement with the front office due to their weaker understanding of certain business models or products, such as advancements with RegTech, or the precise nature of complex, new or emerging rules. Therefore, the front office is not always receptive to challenge and the importance of regulation. Compliance functions must therefore strike the right balance between management and ownership of risk and assessing the effectiveness of the risk management efforts of the first line of defence, whilst also balancing their perceived role as adviser and key provider of challenge and ensuring that they do not encroach on the responsibilities of the first line of defence. Attempting to shut the stable door before the horse bolts – again – regulators have responded by placing increased emphasis on how the Compliance function must adapt to address emerging concerns.
There are no specific requirements regarding how an effective Compliance programme should be structured, but Compliance functions are directed by regulators’ enforcement decisions, statements and published guidance when making such decisions. With this guidance in mind, there are several areas that Compliance must prioritise in the upcoming years.
Part of the regulatory response to the scandals that rocked the financial services industry was to introduce the Senior Managers and Certification Regime (SMR) in March 2016[iv]. The SMR aims to boost personal accountability by putting the onus on senior managers to demonstrate that they are doing the right thing and challenge the status quo. In terms of how this impacts the relationship between the first and second lines of defence, it should lead to greater cooperation and the respective Compliance Officer should be viewed as a “trusted advisor” to the Business rather than a stranglehold on their ability to make a profit for the firm.
Compliance itself is in scope of SMR - the Chief Compliance Officer (CCO) is a designated Senior Management Function (SMF) and general Compliance employees fall under the definition of “Other Conduct Rules” personnel. CCOs are now located at the top of the management responsibilities map, with extensive obligations specifically assigned to them. As a result of SMR, Compliance Officers will be required to take on additional responsibility and ensure best practices are embedded within their respective business areas. Failure to meet these expectations may subject Compliance to enhanced scrutiny from regulators and lead to Compliance Officers being held personally accountable for the actions of others in their business areas.
Internal and external reporting are an essential part of the Compliance function.[v] High-quality information is critical for encapsulating risks and presenting them to senior managers and regulators, providing an information-flow evidencing a compliant Business. Increased focus on personal liability have made it a necessity that Boards and senior managers have a clearer understanding of where compliance risk exists within their Business.
Compliance, Internal Audit and Legal must combine reporting at the highest level of the firm to present a single, coherent view on risk management to the Board[vi]. One way of achieving this is through the formation of Attestation Packs by Compliance. Attestation Packs provide a holistic view of different divisions within the Business, providing senior management with quality, meaningful data, in place of vast quantities of complex numbers and incongruous figures.
Regulators have taken the view that Compliance in many firms do not offer sufficient challenge to the first line of defence. As per the FCA Handbook, an effective compliance function should operate independently and have the authority to “monitor and assess the adequacy and effectiveness of the measures and procedures put in place” by the first line of defence[vii].
Compliance Reviews are a combination of Compliance monitoring and testing activities that aim to independently evaluate controls designed to mitigate compliance risk across the first line of defence. Compliance Reviews take a risk-based approach and consider numerous factors including:(i) internal risk assessments, (ii) regulatory changes, (iii) changes in the Business and control environment and (viii) previous findings. Reviews can be mandatory, completed as a response to regulatory and Audit commitments, or targeted as a response to both known and emerging risks.
Reviews undertaken by Compliance can uncover weaknesses and document corrective actions taken, in addition to enhancing the visibility of the Compliance department to the Business. Issues discovered during monitoring and testing activities can be escalated appropriately and mitigated before they become scandals.
There is now a greater focus on Compliance monitoring, with many firms increasing headcount and investing in systems designed to enhance the effectiveness of these activities. In some firms, monitoring and testing teams have been centralised into single units.
The implementation of the Market Abuse Regulation (MAR)[ix], as well as the fallout from the FX[x] and LIBOR[xi] scandals, placed heightened emphasis on improving surveillance systems within Compliance. Compliance must have robust surveillance procedures (whether it be voice, e-communications or trade) in place that can detect any regulatory breaches such as market abuse and insider trading. Trade surveillance can take the form of pre-trade or post-trade surveillance.
Pre-trade surveillance programs can be used to validate trade instructions, ensure trading thresholds are not breached and prevent trades being transacted on restricted instruments, whilst post-trade surveillance can monitor for front-running, suitability, best-execution and regulatory transaction reporting, the findings of which are included in quarterly Attestation Packs provided to senior management.
The regulatory landscape for financial services is constantly changing. In fact, nearly every firm approached by the FCA ranked regulatory change as the most significant challenge facing firms due to the volume, pace and complexity of new regulation impacting the industry[xii]. The challenge of regulatory change emanates from a wide range of factors including new regulations, new technologies, and the adaptation of traditional control models to complex new products or business models. Over the last few years, we have seen the implementation of key pieces of regulation including MiFID II, MAR and EMIR (with the General Data Protection Regulation on the horizon in 2018).
It is the responsibility of Compliance, in conjunction with front office management, to track regulatory change impacting their respective Business areas. Business and product knowledge is required to better understand whether regulatory change impacts a respective business area and to what extent. In conjunction with communication and influencing skills, this knowledge is also required to effectively challenge front-office activities. Failure to correctly identify regulatory change in a timely manner can lead to non-compliance and potentially damage the relationship between the first and second lines of defence. A double-check on existing compliance, provided by surveillance and monitoring activities, can guarantee that current regulation has been implemented correctly.
Compliance must also be prepared to engage with policymakers to try to influence future policy and mitigate uncertainty. The reporting and discussion of risk management to senior managers can be utilised by Compliance as the basis for developing a lobbying strategy on potential regulatory change. For this to be successful, firms must have the resources and competent understanding of the evolving stances and approaches that regulators take. This involves considering rules and regulations made at jurisdiction level and policy making by supranational bodies, such as the Financial Stability Board, the Basel Committee on Banking Supervision and the International Monetary Fund.[xiii] Consequently, firms are obligated to invest in skilled risk and compliance resources capable of responding to draft policy and rule changes and must submit written responses to follow up with the relevant politicians and supranational bodies.
The banking industry is becoming increasingly digitalised, with Compliance functions now more reliant on technology to assist with meeting their own objectives. The Compliance function needs to be involved at every stage of any new development within the financial sector, and are required to have the knowledge, skills and understanding to apply relevant policies and procedures to technological business plans. Most firms will need to adapt to future investment in front-office technology by significantly upskilling their compliance staff through hiring and training.
The increasing prevalence of Regulatory Technology (RegTech) is proving to have a monumental impact on regulatory compliance, disrupting the familiar compliance landscape by providing technologically advanced solutions to growing demands. It is expected by regulators that Compliance departments will invest in surveillance systems capable of providing an adequate challenge to the front line; any compliance function recalcitrant to deploy adequate RegTech solutions to aid regulatory risk management will likely be subjected to increased scrutiny by regulators.
This is an area that will require substantial investment. As of 2017, only 21% of firms have declared themselves fully engaged with RegTech, with 24% of firms admitting that their budget lacked room for regulatory technology and 35% expected the RegTech budget to grow in the coming year (2017-2018)[xiii]. With algorithmic and electronic trading progressively dominating the industry, it is more important than ever that RegTech flourishes, supported by suitably skilled Compliance functions capable of implementing protocols that permit consistently good and compliant outcomes.
With the rising costs of non-compliance, turning yesterday’s bad headlines into tomorrow’s good compliance is more important than ever. Compliance plays a pivotal role in achieving this outcome. Compliance Officers need to adapt to the ever-changing financial services landscape to provide independent, effective challenge and cultivate a culture of good compliance in their organisations.