Global Financial Compliance PDF
Document Details
Uploaded by MomentousSeattle
Tags
Summary
This document provides a comprehensive overview of global financial compliance, emphasizing the importance of integrated systems and controls. It covers various aspects, including the role of the board, senior management, and the compliance function. Key regulatory principles and procedures for adherence to international standards are highlighted.
Full Transcript
The Compliance Function 1. International Best Practice 1.1 Systems and Controls 2 Learn...
The Compliance Function 1. International Best Practice 1.1 Systems and Controls 2 Learning Objective 2.1.1 Understand the fundamental systems and controls a firm should implement in order to conduct its business in line with international regulatory standards 1.1.1 Organising Appropriate Systems and Controls to Ensure Compliance Compliance is most effective in a corporate culture that emphasises standards of honesty and integrity and in which the board of directors and the senior management lead by example. In other words, compliance starts at the top. However, it does not stop there, and it is vital that compliance is a concern of everyone in an organisation and should be viewed as an integral part of the firm’s everyday activities. This also means observing the spirit, as well as the letter, of the law. A firm needs to establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm (covering its managers, employees and representatives) with its obligations under the regulatory system in which it operates, and for countering the risk that the firm might be used to further financial crime (including money laundering (ML)). Compliance risk, generally, is seen as the risk of legal or regulatory sanctions, material financial loss, or loss to reputation as a result of failure to comply with laws, regulations, rules, related self-regulatory organisation (SRO) standards, and codes of conduct applicable to the firm’s business. Compliance is not the responsibility of specialist compliance staff alone. It needs to be embedded within a firm and become part of its culture. Nevertheless, a firm will be able to manage its compliance risk more effectively if it has a compliance function in place, the organisation of which may vary between firms. In a small firm, it may be an individual person, it may be a separate department or it may form a discrete part of an overall risk management function. In particularly large and/or international firms, compliance staff may be located within business lines and have group and local compliance officers; separate units may also be established to deal with the prevention of money laundering and terrorist financing (ML/TF). Irrespective of the organisational structure, an effective compliance function should operate independently, be sufficiently resourced, and have the following responsibilities: 1. To regularly assess and monitor the adequacy and effectiveness of the measures and procedures put in place, and the actions taken to address any deficiencies in the firm’s compliance with its obligations. 2. To advise and assist the relevant persons responsible for carrying out regulated activities to comply with the firm’s obligations under the regulatory system. 61 The Basel Committee on Banking Supervision (BCBS) has issued a set of ten principles relating to compliance and the compliance function. While these principles are aimed at banks, their general approach has a much wider application for firms across the financial sector subject to regulation. The BCBS principles can be found at www.bis.org/publ/bcbs113.pdf. 1.1.2 Responsibilities of the Board The first of the BCBS principles is that the board of directors is responsible for overseeing the management of the firm’s compliance risk. The board should approve the firm’s compliance policy, including a formal document establishing a permanent and effective compliance function. At least once a year, the board or a committee of the board should assess the extent to which the firm is managing its compliance risk effectively. A firm’s compliance policy will not be effective unless the board of directors promotes the values of honesty and integrity throughout the organisation. Compliance with applicable laws, rules and standards should be viewed as an essential means to this end. As is the case with other categories of risk, the board is responsible for ensuring that an appropriate policy is in place to manage the firm’s compliance risk. The board should oversee the implementation of the policy, including ensuring that compliance issues are resolved effectively and expeditiously by senior management with the assistance of the compliance function. The board may, of course, delegate these tasks to an appropriate board- level committee (eg, its audit committee). 1.1.3 Responsibilities of Senior Management The BCBS principles also set out the responsibilities of senior management who are responsible for: the effective management of compliance risk, and establishing and communicating a compliance policy, ensuring that it is observed and reporting to the board of directors on the management of the firm’s compliance risk. Therefore, senior managers are responsible for establishing a written compliance policy that contains the basic principles to be followed by management and staff, and explains the main processes by which compliance risks are to be identified and managed through all levels of the organisation. Clarity and transparency may be promoted by making a distinction between general standards for all staff members and rules that only apply to specific groups of staff. Senior management are also responsible for ensuring that compliance policy is observed and that appropriate remedial or disciplinary action is taken if breaches are identified. They should also identify and assess the main compliance risk issues facing the firm (with the assistance of the compliance function, at least once a year) and the plans to manage them. Such plans should address: any shortfalls (policy, procedures, implementation or execution) related to how effectively existing compliance risks have been managed, and the need for any additional policies or procedures to deal with new compliance risks identified as a result of the annual compliance risk assessment. 62 The Compliance Function Senior management should: at least once a year, report to the board of directors or a committee of the board on the firm’s management of its compliance risk, in such a manner as to assist board members to make an 2 informed judgement on whether the firm is managing its compliance risk effectively, and report promptly to the board of directors, or a committee of the board, on any material compliance failures (eg, failures that may attract a significant risk of legal or regulatory sanctions, material financial loss, or loss to reputation). 1.2 Adequate Resources Learning Objective 2.1.2 Understand BIS Principle 6 and the requirement for adequate resources Principle 6 of the BCBS principles on ‘compliance and the compliance function in banks’ states: ‘The bank’s compliance function should have the resources to carry out its responsibilities effectively’. The resources should be both sufficient and appropriate for effective management of the firm’s compliance risk. In particular, compliance function staff should have: the necessary qualifications, experience and professional and personal qualities to enable them to carry out their specific duties, and a sound understanding of compliance laws, rules and standards and their practical impact on the firm’s operations. The professional skills of compliance function staff, especially with respect to keeping up to date with developments in compliance laws, rules and standards, should be maintained through regular and systematic education and training. 1.3 Compliance Manual and Policies Learning Objective 2.1.3 Understand the practical applications of a formalised document of compliance policies and procedures: compliance manual 1.3.1 Purpose of the Compliance Manual The purpose of the compliance manual is to formally document the standards to be followed by all employees in their personal conduct and in conducting business with customers and counterparties. 63 It also serves to expand upon compliance-related content of the company’s corporate governance manual in relation to: the legal and regulatory obligations of employees and contracted agents, and the policies and procedures that apply to the business and personal conduct of employees and agents to ensure that they comply with the laws, regulations, rules and codes that govern the firm’s conduct of business as a regulated firm. All managers and directors of the company are responsible for ensuring that the members of their teams read, understand and are fully conversant with the contents. It should be remembered that this manual is not a procedures manual, but rather provides policy and guidance. Detailed procedures are normally produced by the various operational business areas and overseen by managers or directors who will be responsible for ensuring that their staff know where to find such information. 1.3.2 Scope of the Compliance Manual The compliance manual endeavours to give a high-level overview of the rules and regulations of the regulatory bodies governing the firm’s business. For firms operating internationally, it is important to clearly document how differing or overlapping regulatory requirements will affect operations and staff. The compliance manual provides employees with the information required to comply with the rules and regulations applicable to their activities. These may include relevant laws of the countries in which the firm directly operates, or in which its clients are situated. Ignorance of the law or relevant rules and regulations will not protect the company or its employees. Employees are urged to consult with the compliance function if problems arise. The compliance function normally seeks feedback from staff with a view to regular updating of the compliance manual. It is important that it is a ‘living’ document and the compliance function needs to keep everyone informed of significant developments arising from regulatory changes and experience throughout the company. Many firms now use an online compliance manual with search facilities and links to online learning modules and relevant regulatory websites. See Appendix 1 for an example of the contents page of a compliance manual. 1.3.3 Communicating the Formal Status of the Compliance Function The compliance function must have a formal status within the firm to give it the appropriate standing, authority and independence. This may be set out in the firm’s compliance policy or in any other formal document. The document should be communicated to all staff, either electronically via an intranet site or other means. The compliance policy needs to be included in induction and other relevant training. The compliance manual will contain the following with respect to the compliance function: Its role and responsibilities. Measures to ensure its independence. Its relationship with other risk management functions within the firm and with the internal audit function. In cases where compliance responsibilities are carried out by staff in different departments, how these responsibilities are to be allocated among the departments. 64 The Compliance Function Its right to obtain access to information necessary to carry out its responsibilities, and the corresponding duty of staff to cooperate in supplying this information. Its right to conduct investigations of possible breaches of the compliance policy and to appoint outside experts to perform this task if appropriate. 2 Its right to be able to freely express and disclose its findings to senior management, and if necessary, the board of directors or a committee of the board. Its formal reporting obligations to senior management. Its right of direct access to the board of directors or a committee of the board. 1.4 An Effective Compliance Function Learning Objectives 2.1.4 Understand how an effective compliance function can add value to a business 2.1.5 Know how to produce and implement an effective compliance programme The compliance function needs to take a proactive approach to its dual responsibilities of monitoring the business and providing advice to senior management. A well-run compliance function can be a tremendous competitive advantage to a firm, helping to build a strong reputation and attract business. The key purposes are to: provide reassurance to the board and senior management that the business is operating in a compliant manner, through regular reports, ad hoc reports and other management information provide advice and assistance to the board directors, management and staff to help them to meet their compliance responsibilities identify and record good and bad practice; provide feedback on failures in controls and compliance and provide recommendations for improvements and, where necessary, remedial action provide analysis and early warning of regulatory change which may impact the business, and to ensure that such change is communicated to the board and management build a good and open relationship with the firm’s regulators to ensure they have a good understanding of the business, the risks involved and how those risks are controlled, and to facilitate business development where new permissions or licences are required and, where necessary, resolve issues, and where relevant, respond and coordinate responses to proposed legislation or regulations with a view to achieving regulations that, while meeting the objectives, take into account the practical implications for businesses; such responses may be direct with regulators or through trade associations. An effective compliance function will add value to the business. It will keep it on a compliance path, and its involvement and advice will be sought by all levels of staff in the business. Such a function will contribute to innovation, business development and other projects. It will be seen as a business enabler rather than a stereotypical business-prevention unit. The compliance function will provide senior management with information and advice on compliance laws, rules, and standards. It will also provide guidance and education for senior management – especially during times of substantial regulatory change or when the firm is expanding into new product areas. 65 While these matters can be of great value when successfully deployed, it is important that the compliance function continues to provide a thorough monitoring programme and ensure that compliance risk is understood. The compliance officer must, therefore, be able to secure the resources needed to deliver these goals. The compliance function usually supports operational areas when preparing/reviewing their procedures and policies, to ensure that underlying regulatory requirements are correctly incorporated into the material. With this support given, the first line of defence is better equipped to prevent problems arising, and the compliance team builds valuable engagement ahead of future monitoring activity. The compliance function may include specific statutory roles (eg, an officer fulfilling the role of money laundering reporting officer (MLRO)), and may liaise with relevant external bodies, including regulators, standard setters and external experts. They may also be responsible for ensuring that relevant regulatory returns and filings are made, for example, working with a corporate finance department and signing off the adequacy of capital calculations, or arranging for regular reporting of transactions, complaints, client assets and money. Prior to new directors or senior managers taking up their responsibilities, the compliance function staff would normally coordinate the application to regulators for approval of those individuals, where required. Similarly, where there was any need for authorisations or variation in the permissions a firm has, compliance function staff would complete or advise on those applications. 1.4.1 Identification, Measurement and Assessment of Compliance Risk The compliance function proactively identifies, documents and assesses the compliance risks associated with the firm’s business activities, including the development of new products and business practices, the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships. If the firm has, for example, a new products committee, operations committee or risk management committee, compliance function staff should be represented on such committees. The compliance function needs to measure compliance risk (eg, by using performance indicators) and use such measurements to enhance compliance risk assessment. Technology can be used as a tool in developing performance indicators by aggregating or filtering data that may be indicative of potential compliance problems (eg, an increasing number of customer complaints, breach trends, or irregular trading or payments activity). The compliance function must assess the appropriateness of the firm’s compliance procedures and guidelines, promptly follow up any identified deficiencies, and, where necessary, formulate proposals for amendments. 1.4.2 Monitoring, Testing and Reporting The compliance function needs to monitor and test compliance by performing sufficient and representative compliance testing. The results of the compliance testing are reported to the head of compliance in accordance with the firm’s internal risk management procedures. Determining what needs to be monitored is part of developing the compliance programme. 66 The Compliance Function On a regular basis, the head of compliance reports to senior management on compliance matters. The reports include the compliance risk assessment during the reporting period, including any changes in the compliance risk profile based on relevant measurements, such as performance indicators, a summary of any identified breaches and/or deficiencies and the corrective measures recommended 2 to address them, and a report on corrective measures already taken. The reporting format will be commensurate with the firm’s compliance risk profile and activities. 1.5 Compliance Monitoring Programme Learning Objectives 2.2.10 Understand the purpose of a compliance monitoring programme: risk-based; reporting; planned 2.2.11 Understand the key considerations in developing a compliance monitoring programme 2.2.12 Understand how to conduct an effective compliance monitoring programme: working papers; minute meetings with senior management; management responses; risk mitigation plans The compliance programme sets out the responsibilities of the compliance function and its planned activities such as the implementation and review of specific policies and procedures, compliance risk assessment, compliance testing, and educating staff on compliance matters. It is the responsibility of the head of compliance or equivalent, to ensure appropriate coverage across businesses and coordination among risk management functions. The purpose of the compliance monitoring programme is to provide an independent review of the operational work performed by the firm, with a focus on two elements: 1. To confirm whether operational tasks are being performed in line with operational procedures. 2. To confirm whether operational procedures continue to reflect current regulatory requirements. It is impractical for the compliance function to review every item of processed work – the cost of supporting such oversight would be uneconomical – and so the compliance function must establish a method for performing sufficient oversight to be confident that the underlying risks have been appropriately controlled. Hence, the compliance monitoring programme must be risk based. The programme involves the review and testing of documentation and completed work items, to identify findings and recommendations for improvements. Specific working papers are generally used, detailing the parameters of the testing to be performed, in order to ensure that the scope of each monitoring review is achieved. The completed working papers also provide a clear evidential record of the review work performed and the specific items that gave rise to findings. While such compliance efforts should be independent of operations, it is important that senior management of the operational area concerned, understand the findings and agree on the remedial action to be taken. Formal reporting to senior managers in the business is a common step to ensure that all business areas are aware of the types of issues being identified and the actions being taken to rectify problems. In larger programmes, the compliance function produces a risk mitigation plan to provide the board with an overall view of how compliance engagement with the operational areas is improving the risk position of the business. 67 While firms establish their programmes in different ways, there are essentially three key stages: Stage 1 – Information Gathering Information is gathered on potential adverse events – such as errors that may arise in the activities undertaken by the firm in delivering its products and services. These may include: payments not made on time suspicious activity not reported failure to complete reconciliations (assets or money) late execution of client instructions late handling or mishandling of complaints or breaches, and unsuitable investment advice. (The above is an illustrative, rather than exhaustive, list.) Stage 2 – Scoring The events identified as part of Stage 1 are scored for financial impact, exposure and probability. In designing the scoring method, it is necessary to decide whether each metric will be scored using discrete values (eg, a cash value in sterling or a frequency in days) or using relative values. Financial Impact Financial impact reflects the magnitude of financial cost were the adverse event to crystallise, and is usually a relative measure (eg, a ‘1’ may mean an event that could threaten the company’s continued existence, while a ‘3’ may indicate significant operational disturbance but not have catastrophic potential). This has benefits because actual or estimated costs vary according to: the precise nature of the event (versus its high-level definition as per Stage 1) the particular area or element of activity that gives rise to it, and precise values, if the event relates to investment transactions. Similarly, the potential financial impact of a regulatory transgression is difficult to reliably forecast. Factors to be considered should include: investigation costs (potentially including third-party review) compensation costs to affected customers legal costs in defending the company against regulatory action, and potential regulatory fines. A final consideration is the requirement to include the future financial impact of loss of goodwill and/or reputation due to the event, but the near impossibility of attributing any particular value or amount. Consequently, financial impact is generally scored according to a set of relative impact ratings (eg, a scale from ‘high’ to ‘low’). The head of financial management, for example, the finance director or financial controller, will often assist by scoring individual events per area, providing experience of the level of past costs, and offering an informed assessment of likely impact were an event to occur. 68 The Compliance Function Exposure Frequency Score Exposure means how often the activity occurs that could give rise to the adverse event. This can, for example, be implemented using a conversion table that provides a value approximating to the number of occurrences expected/evidenced in a single year. Given the number of business days in a year, a value 2 of 250 might be adopted as indicating a ‘daily’ event. From that starting point, you might build the following conversion table: 500 – Real-time 250 – Daily 50 – Weekly 10 – Monthly 4 – Quarterly 2 – Half-yearly 1 – Annually 0.5 – Infrequently 0.1 – Rarely When deciding these values, the firm should ensure that the scoring model is appropriately balanced (to prevent certain types of events being given disproportionate attention, while other types of concerns do not sufficiently emerge). For example, the ‘real-time’ score needs to balance the following: Certain activities may occur twice in the working day (eg, work item batching or the receipt of postal deliveries), matching a score of 500. Setting a number greater than 500 increases the potential that the model could exaggerate the effect of an event. While these scores are largely a matter of fact, care must be taken to ensure the scoring system does not incorrectly exaggerate or underplay events such as ‘infrequent, with extreme financial impact’ and ‘real-time events having little financial impact’. Use of an ‘additional probability weight field‘ may be appropriate, or the use of ‘volume’ rather than ‘frequency’ might be preferable for some activities. Probability Weight The probability of the adverse event actually occurring must then be determined, taking into account the strength of procedures and controls within the area. This may be expressed as the ‘probability of the risk crystallising’, known as a ‘PORC’ factor, which reflects the annualised likelihood of an event occurring given the management controls that are in place. For example: Low – 70% Care must be taken when considering scores of 0% (an impossible event) or 100% (an inevitable event). Some scoring systems are designed not to recognise such scores, while others will permit them in certain circumstances. The initial assessment is based on consideration by compliance, audit and operations management of the findings from past and recent examinations or assessments, the incidence of breaches and complaints, and the extent of manual processes. Trends and proportions are more important considerations than absolute numbers, which, in any event, must be reviewed regularly. 69 Stage 3 – Weightings The above variables represent the risk identified by the business. However, the compliance officer may need to use additional variables in order to determine the priority subjects for inclusion in the monitoring programme. Such weighting of priorities can be affected by the following variables: Anxiety weighting – what is currently worrying the compliance officer about industry/regulator- expressed concerns – perhaps the regulator is undertaking a thematic review on market timing or the care and protection given to client assets and money. Perspective – whereas the gathering of information has been largely based on past experience of adverse events, here it is appropriate to consider future volumes of business, propose new areas and the implications for existing operations. Days since last tested – activities may be considered low risk, perhaps because of low value impact, or because the controls are considered so strong that it is unlikely that the activity would naturally come to the top as a result of the risk factors considered so far. In such cases, using a weighting based on the time elapsed since the activity was last reviewed, ie, that increases as the time-span gets longer, means that eventually the activity will come to the top of the list and be included in the monitoring schedule. Some firms prefer using a plan which is fixed at one point in the year, and then, following that plan for 12 months. A more dynamic approach is to aim to complete the review of all activities over, for example, an 18-month period, but run the risk assessment on a quarterly basis to focus each quarter’s work on the most pressing activities; this also allows for any incidents or regulator concerns to be proactively incorporated into the programme. 1.6 Integration of Regulatory Requirements Learning Objective 2.1.6 Understand how regulatory requirements should be integrated into operating systems, policies and procedures It is important for a firm to ensure that the operational processes and procedures it employs deliver the outcomes required by regulation. It is also important that the firm establishes controls to ensure that implementation of new processes and procedures – including changes to associated IT systems – are performed based on a sound understanding of those regulatory requirements. The regulatory requirements must be integrated within the firm’s processes. Successful integration of regulatory requirements and the maintenance of compliant systems, procedures and controls require the concerted effort of the whole business and the people who make up the board of directors, management and staff of the firm. As with most compliance-related issues, integration starts from the top and depends heavily on the culture of the firm. The board and individual directors must consider whether they have the appropriate organisation and controls to ensure that regulatory requirements are integrated and compliance is embedded in the ethos of the firm. They should periodically review their high-level governance policies and procedures. 70 The Compliance Function People – the requirement is to establish an appropriate recruitment programme and hire staff with the right skills, knowledge and experience relating to the business. This includes setting out the required competencies, qualifications, experience expected and testing of candidates to ensure they have the appropriate skills and knowledge required. 2 Allocation of responsibilities – the use of a written job description is a useful guide for individuals and should include, at a high level, their regulatory responsibilities. This might include a responsibility for managers to train their staff in financial crime prevention, information security and treating customers fairly (TCF). Training – comprehensive training programmes should be in place, ranging from induction courses, on-the-job training, specialist sessions on regulatory areas and a requirement to undertake continuing professional development (CPD), including appropriate professional examinations, with access to regulatory updates or bulletins produced by the compliance function and industry updates. A minimum number of CPD hours should be set. Periodic training assessments and needs analysis should be undertaken which use information from a regular appraisal of staff or personal development reviews. Procedures – written procedures need to be in place for all areas of the business which provide guidance for staff on how to perform activities and incorporate compliance processes. In some firms, they will map the procedures and processes to the relevant regulations and rulebooks. These procedures should be reviewed and signed off periodically by the local management as compliant. The compliance function will check samples of these procedures as part of their monitoring assignments to ensure the validation process is being followed. The compliance function will have procedures for its own activities. Systems – the design of operational systems should incorporate all the relevant regulatory requirements. These should be documented in business requirements, system requirements or specification documents and be included as part of a robust system and user testing scripts. While the business areas should specify their requirements, the compliance function will often be called upon to provide advice and guidance on new procedures and significant changes to regulations. Again, the regulatory effectiveness of systems and the controls will be included in the sample checks performed by compliance staff during their monitoring assignments. 1.7 Regulations, Internal Policies and Procedures Learning Objective 2.1.7 Know the difference between regulations, internal policies and procedures Regulations, internal policies and procedures are all important to a firm’s governance, though each has a distinct purpose and origin. Regulations are provided by governments and regulatory bodies to give clear minimum rules by which businesses can operate. Regulations might be rules-based or principles- based. Internal policies are created within each firm to guide staff and management in respect of the core principles by which the firm will achieve compliance and explain the main processes to be followed. Policies go further than regulations and, for example, set internal codes of conduct with requirements that go beyond what is required by regulation. Procedures provide the detailed guidance on the action to be taken by management and staff. 71 Internal policies and procedures reflect the firm’s interpretation of the regulations. The regulations may offer flexibility and, therefore, different firms may adopt different approaches. Once again, it is important that the compliance function is involved in reviewing policies to ensure the interpretation is valid. In some cases, an opinion from external consultants or legal experts may be beneficial. While regulations, internal policies and procedures serve distinct purposes, conflicts between these items can arise – particularly in respect of international businesses. Conflicts may arise between the local regulations in one jurisdiction and the corporate internal policies and procedures handed down from head office. It is important to identify any such conflicts that arise, and to ensure that regulatory requirements are satisfied in the resolution. 1.8 Regulatory Implications of Business Strategies Learning Objective 2.1.8 Understand the potential regulatory implications of business strategies: outsourcing and oversight; capital requirements; variation of permissions; control framework 1.8.1 Outsourcing and Oversight Many firms take a strategic decision to concentrate on certain core activities and to outsource other activities and support functions to specialist suppliers. For example, a global asset manager operating collective investment funds may decide that it wants to concentrate on management of the investment portfolios, but outsource all the activities to do with fund accounting, pricing and investor record- keeping. Generally, regulations permit firms to outsource the tasks associated with regulated activities – though the firm retains regulatory responsibility for those tasks outsourced. This means that supervisory or enforcement action could be taken against the firm if the outsource service provider fails to deliver a compliant operation. Typically, when outsourcing a material task, the firm needs to advise its regulator in advance. In some countries, regulatory approval is required before outsourcing, and in some cases, outsourcing of specific tasks may not be permitted, or a geographic limitation may be applied with a view to protecting investors. When outsourcing, a regulator will expect the firm to: undertake appropriate due diligence of the service provider retain sufficient expertise to undertake oversight of the outsource service provider, to ensure the service is compliant and ensure that access to relevant information is provided to both the firm and the regulator have a written contract with the service provider together with a clear service level agreement and establish key performance indicators, and have agreed with the service provider plans for business continuity and disaster recovery, including periodic testing of any applicable back-up facilities. A more detailed checklist for outsourcing is provided in Appendix 2. 72 The Compliance Function The European Banking Authority (EBA) has issued guidelines on outsourcing, which came into force on 30 September 2019. They contain specific provisions for the governance frameworks in relation to outsourced activities of financial institutions, as well as the related supervisory expectations and processes. The guidelines specifically state that the financial institution’s management remains 2 responsible for all of their activities including those that are outsourced. The institution must have sufficient resources available to appropriately support and ensure the performance of their responsibilities, including overseeing all risk and management of the outsourcing arrangements. Outsourcing must not lead to a situation in which an institution becomes an ‘empty shell’ that lacks the substance to remain authorised. When the service provider to which operations have been outsourced is based outside of the EU, they still need to comply with EU rules and regulations if they provide services to financial institutions based in the EU. In the US, however, outsourcing by financial institutions is not subject to any regulations. 1.8.2 Capital Requirements The financial crisis has led to a strengthening of capital requirements and standards by regulators in many parts of the world. Models for firms to use in calculating capital adequacy (ie, the appropriate amount of capital a firm should maintain) have become increasingly complex. Examples of international capital adequacy approaches include the Bank for International Settlements (BIS) Basel II and III Accords for banks, and the EU’s Solvency II Directive aimed at harmonising capital requirements across the insurance industry in the EU. Typically, the regulations and standards set out how to determine the appropriate levels of capital adequacy given the types of business and levels of risk the business or assets held may represent. Two approaches are commonly used: The use of a standard formula for calculating the minimum capital requirements. Depending on the risk-weighted assets of the firm, the minimum capital requirement may fluctuate. In simple terms, this means the higher the risk, the greater the capital requirement. The use of internal models to determine the risk reflecting the firm’s own risk and solvency assessment. These internal models should better reflect the firm’s risk profile than the adoption of a standard formula. It may be lower than the capital adequacy requirement based on a standard formula but equally, it may be higher. The models will need to be approved by the regulator, and are subject to robust governance. It is important that the business incorporates its regulatory reporting requirements for capital within its overall strategy and operations. Retail banking will have a different risk profile to investment banking, for example. The mix of business chosen and the risk appetite of the institution as set by the board will have significant implications for capital adequacy and overall regulatory requirements. Any plans to change the business strategy of the firm should, therefore, take into consideration any implications for the firm’s capital requirements. A business expansion that might appear profitable could be undermined if it would require the firm to substantially increase its level of regulatory capital. 73 1.8.3 Variation of Permission (VOP) One of the ways in which a regulator controls the risks to its objectives is to limit the regulated activities a firm may undertake. A firm must ensure it holds the relevant permissions for the business it undertakes, and will also want to ensure it does not hold excess authorisations. The broader its permissions, the greater the regulatory obligations. Forward planning is, however, essential for business development purposes and the regulatory implications. Early involvement of the compliance function will be required if the firm plans to move into new areas of business, either in terms of an extension of current activities or to diversify into entirely new activities. In many jurisdictions, the process to amend authorisation is known as a variation of permission (VOP). The firm typically advises the regulator at an early stage of the firm’s plans and confirms the requirements for varying the firm’s authorised permissions. In the event of a minor variation, the application for approval typically requires minimal documentation to be submitted. For minor variations, the approval process usually takes only a limited amount of time, and can be as little as two to eight weeks. For major variations, such as an entirely new area of activity, more evidence will need to be provided, including a detailed overview of the firm’s expertise in the new activity, the risk assessments undertaken and the detailed business plan. In such cases, the lead time for obtaining regulatory approval can be lengthy and take up to a year. Regulators may provide a service level target for processing such applications which are designed to give the regulator ample time to consider the application. 1.8.4 Control Framework A key part of the business strategy is understanding the key risks the business will face and how those risks will be managed. Risks can be mitigated, eliminated, or accepted. Assessment of the risks associated with any change in business strategy, together with an understanding of the need to control those risks, is vital to ensuring that the firm is prepared to expand its business activities or adopt some other change in overall strategy. While change can be positive in realising growth for a company, the compliance officer must ensure that the regulatory consequences of change have been understood and appropriate plans put in place. 1.8.5 Preparing Compliance Reports Learning Objectives 2.1.9 Know how to prepare an effective compliance report for management 2.1.10 Know what basic information compliance officers should have access to There is no prescribed layout for compliance reports, and firms will take differing approaches. Some firms prefer narrative styles, while others might use a recognisable corporate template to ensure consistency across the various reviews performed (such as the example shown in Appendix 3). 74 The Compliance Function Regardless of the format, the following needs to be taken into consideration: Initial steps: The title page and meeting corporate style/standards. 2 Designing a template that meets your needs. The introduction and contents pages. Report scope, parameters and people: The purpose of the (monitoring) review and report. Compliance ‘project’ reports – summary and objectives. Acknowledging key personnel. Any ‘points to be noted’. Significant pages: Contents: subject areas considered and reviewed. The executive summary. Report findings and recommendations. The right of reply: Incorporating management responses. Issuing the report and document version control: Recording, retention and revisiting. Access to Information and Personnel The compliance function needs to be able to communicate with any staff member and obtain access to any records or files necessary to enable them to carry out their responsibilities. They need to be able to independently carry out their responsibilities in all departments of the firm in which compliance risk exists. They should have the right to conduct investigations of possible breaches of the compliance policy and to request assistance from specialists within the firm (eg, legal or internal audit) or engage outside specialists to perform this task if appropriate. The compliance function should be free to report any irregularities or possible breaches disclosed by its investigations to senior management, without fear of retaliation or disfavour from management or other staff members. Although its normal reporting line should be to senior management, the compliance function needs to have direct access to the board of directors or a board committee, bypassing normal reporting lines when necessary. Further, it may be useful for the board or a committee of the board to meet with the head of compliance at least annually, as this will help the board or board committee to assess the extent to which the firm is managing its compliance risk effectively. In larger firms, the compliance function will be directly represented on the board with the appointment of a compliance director who may serve as the chief compliance officer for the company and its subsidiaries. Examples of the types of records compliance typically access for monitoring purposes fall into three main categories. They are: basic periodic, and non-essential. 75 Basic Records Customer applications/instructions. Suitability/appropriateness test records. Contract notes. Transaction records. Telephone recordings. Customer correspondence (written and electronic). Accounts – customer, bank. Customer asset and money reconciliations, trust letters. Marketing materials. Complaints and breach of regulation records. Suspicious activity reports (SARs). Court of Protection. Court orders. Marriage certificates. Probate. Powers of attorney (POAs). Death certificates. Anti-money laundering (AML) documents. Scanning. Tax vouchers. Tax-related reports/returns. Policies. Procedures. Distribution records. Cheque processing. Risk assessments. Control reports. Checklists. Periodic Records Prospectus and instruments of constitution. Staff records for recruitment, fit and proper tests, references, credit checks. Training and CPD. Statements issued to customers. Report and accounts. Knowledge base. Websites. Non-Essential Supplier invoices. Management accounts – forecasts/projections. Adviser/client agreements. 76 The Compliance Function 2. The Role of the Compliance Function within a Firm 2.1 Responsibilities and Accountabilities of Management 2 and Staff Learning Objective 2.2.1 Understand the responsibilities and accountabilities of management and staff for compliance with regulations Regulators expect the executive management of a firm to ensure that their responsibility for the running of the firm is clear. When it comes to daily ‘business as usual’ activity, all staff and management of a firm must, together, ensure that it remains compliant with the regulations. Operational processes must follow the prescribed procedures to ensure that the right outcomes are achieved. Any concerns staff might have regarding the accuracy of those procedures should be escalated for consideration by management. Staff and management must ensure that the training provided to each person remains current and suited to their role, and that any regulatory training obligations are satisfied (such as obligations for AML training). While firms will often make such matters part of the firm’s code of conduct, enabling it to take disciplinary action against staff where relevant, it is important to recognise that failings in these areas could give rise to regulatory concerns as well as HR issues. The code of conduct is the firm’s documented expectations of how its staff and management will act in respect of share dealing, engagement with clients and suppliers, and various other matters. 2.1.1 Understand How to Monitor whether a Business is in Compliance with Regulations and Internal Policies and Procedures Learning Objective 2.2.2 Understand how to monitor whether a business is in compliance with regulations and internal policies and procedures The common methods used to monitor compliance are: interviewing relevant staff, management and directors observing the processes in action and seeing evidence of the controls being operated testing statistically-based samples of transactions, either in situ or by desk-based review. It is particularly helpful if compliance staff have direct read-only access to relevant systems such that they can take their own samples and do not have to rely on operational staff for providing the material reviewing previous reports, audit reports and other key management information such as key performance indicators, breach and complaint trends, and reviewing specific system-produced transaction reports for the compliance function. 77 2.1.2 Risks of Non-Compliance Learning Objective 2.2.3 Understand the risks associated with non-compliance for firms and the financial services sector It is generally accepted that no firm can at all times remain fully compliant with all regulatory requirements. Manual processes are open to error; human beings will make mistakes; fully automated processes can be vulnerable if system problems arise. While any firm may, at times, experience a breach of regulation, it is important that the firm appreciates the significance of such breaches and the potential consequences that could follow. Ultimately, a regulator will have the power to sanction a firm as well as its executive management in the event that the firm fails to uphold the standards expected. It is, therefore, important for the firm to distinguish between isolated failings and situations indicating that a systemic problem exists. One example of an isolated breach would be where a transaction is misfiled through human error, such that the transaction is delayed and the investor may receive a worse price on their deal. It is important that the firm rectifies such cases. Root cause investigations are a valuable control to confirm that the human error was not caused by a poorly designed process or badly written procedure. Any root cause identified by the firm should be promptly addressed to prevent continued breaches. The chief risk faced by a firm is that its regulator will take action if it becomes concerned by the level or type of breaches arising, or that the firm is failing to address the fundamental causes of problems. Where the regulator believes the firm’s clients are being put at risk, or where it considers the firm is not responding appropriately to the regulator’s expectations, the regulator may impose a fine on the firm. Such fines are often made public, which could undermine client confidence in the firm. In some cases, the regulator might also take action against the senior management of the business; those individuals who were personally responsible to the regulator for ensuring the business would be well run. Aside from the specific cost of any regulatory action taken, the firm is likely to incur substantial additional expense in managing a period of regulatory investigation. Firms under regulatory investigation will often retain external support to help their investigations and build a defensive case – all of which has implications for the firm’s profitability. In extreme cases, the regulator has the power to revoke authorisation, effectively preventing the firm or individual from continuing in business. The regulator must seek to ensure that overall confidence in the financial sector as a whole is maintained, and doing so requires strong action to be taken against those who have failed to operate at the required standards. 78 The Compliance Function 2.1.3 Independence of the Compliance Function Learning Objectives 2 2.2.4 Understand BIS Principle 5 relating to the independence of the compliance function and senior management accountability 2.2.5 Understand the relationship between compliance and other departments, including ‘three lines of defence’ Principle 5 of the BCBS’ principles for compliance and the compliance function in banks states that the compliance function should be independent. The concept of independence does not mean that the compliance function cannot work closely with management and staff in the various business units. Indeed, a cooperative working relationship between compliance function and business units should help to identify and manage compliance risks at an early stage. The concept of independence involves four related elements: Compliance should have a formal status within the firm. There should be a group compliance officer or head of compliance. Their responsibilities within the firm should not lead to conflicts of interest. They should have access to information and personnel. The independence of the head of compliance and any other staff having compliance responsibilities may be undermined if they are placed in a position where there is a real or potential conflict between their compliance responsibilities and their other responsibilities. It is the preference of the BCBS that compliance function staff perform only compliance responsibilities. The BCBS recognises, however, that this may not be practicable in smaller banks, smaller business units or in local subsidiaries. In these cases, therefore, compliance function staff may perform non-compliance tasks, providing that potential conflicts of interest are avoided. The independence of compliance function staff may also be undermined if their remuneration is related to the financial performance of the business line for which they exercise compliance responsibilities. However, remuneration related to the financial performance of the bank as a whole should generally be acceptable. Most firms apply the three lines of defence approach or a recognisable variation of it. The first line is operational controls – such as a ‘quality check’ performed on transactions inputted on the firm’s systems to reduce the risk of a processing error. Due to the nature of operational activities, such first-line checks are usually performed only a short period after the initial operational activity so that problem scenarios can be avoided. Compliance usually provides the second line of defence; the compliance monitoring programme discussed above enables sample-based review of the operational tasks performed to validate the specific performance achieved and to reflect upon whether any improvements might be made to better secure the operational processes against risk. 79 Finally, the third line of defence is generally delivered by the firm’s internal audit function. The three lines of defence are complementary, each performing its control responsibilities independent of the other lines. The frequency of review may reduce as you progress through the lines of defence, but the depth of critical analysis increases in order to ensure the firm’s processes are mitigating risks to the optimal level (given budgets and other organisational limits). The three lines of defence are a clear and consistent organisational and operational structure, including decision-making powers, reporting and functional links and segregation of duties which are clearly defined, transparent, consistent, complete and free from conflicts of interest. 2.1.4 Compliance Role in Training and Competence Learning Objective 2.2.6 Understand the role compliance has in training and maintaining competence and awareness: educating staff on compliance issues; acting as a contact point for compliance queries from staff members; providing written guidance to staff The role of compliance in training largely covers in three main areas: 1. Educating staff on compliance issues. 2. Acting as a point of contact for compliance queries from staff members. 3. Providing written guidance to staff. Educating Staff on Compliance Issues Education of staff on compliance matters may be completed in a number of different ways, depending on the size and approach of the firm. If there is a learning and development department responsible for delivering training, then they are likely to be responsible for induction courses and periodic regulatory courses such as those relating to financial crime prevention. The role of compliance is to review the training material and provide advice on updating it to reflect any changes in regulations. Special workshops or training sessions may be required to be prepared and possibly delivered by compliance staff on specific areas of regulation, such as anti-bribery legislation or new product regulation. They may also provide sessions in groups or individually for directors and senior management who are approved by the regulator; this would be to cover the senior management responsibilities so far as compliance is concerned. Acting as a Point of Contact Providing a compliance helpdesk/helpline can be a valuable educational tool. This would deal with day- to-day queries arising from the business where line managers have not been able to answer the query. This can then highlight any areas of the firm and activities where there may be a lack of knowledge and the need for more formal training or guidance to be given. The provision of online facilities with the compliance function producing an FAQ (frequently asked questions) guide can be useful. 80 The Compliance Function Providing Written Guidance to Staff The compliance department must understand the specific regulations applicable to the business, though most areas of the business simply need to ensure that the work they undertake remains in line with the regulatory requirements. As such, the compliance team will need to provide a range of updates 2 and documentation to support the business areas in maintaining the necessary standards and ensuring that any projects to implement regulatory changes are accurately defined. There will always be a need for compliance to respond to queries that arise from business-as-usual (BAU) events. In order to remain efficient, and to avoid any systemic concerns from developing, the compliance team should periodically consider whether the BAU questions it has received indicate any underlying concern in a given part of the business. Again, maintaining open and supportive relationships with the business is important for giving compliance visibility of potential concerns. Depending on the specific activities of the firm, the compliance team may maintain a formal ‘house view’ of how certain regulations are to be interpreted or applied. Any change to those rules will require the compliance function to update its material and communicate any consequences with the business areas affected. The compliance team might provide periodic internal updates to summarise regulatory themes or specific matters of interest, providing a ‘call to action’ for the firm to ensure that it is strongly positioned on a matter of regulatory interest. For firms with a smaller compliance department, these materials might be gained from participation in industry events or trade association discussions. The key point is that the compliance function must ensure it provides guidance to staff in respect of regulatory obligations. As part of their monitoring programme, the compliance function will review the training and competence policies of the firm and test the record-keeping relating to those staff in approved or supervisory roles. This is to ensure that the training plans and CPD have been completed and, where relevant, that the supervisor or senior manager has assessed the individuals as competent to undertake their role. 2.1.5 Non-Compliance by Individuals Learning Objectives 2.2.7 Understand how to monitor an individual’s compliance with regulations and internal policies and procedures 2.2.8 Understand the range of potential outcomes to remedy non-compliance by an individual within a firm: training and development activities; internal disciplinary measures; external regulatory sanction; legal avenues The directors and management of a firm have responsibility for the day-to-day managing of staff and providing feedback on any issues arising from an individual’s performance. Quality checking and assurance processes should be designed to identify non-compliance. If the matter is serious, then it may be necessary for management to involve the HR or personnel department; if there is a regulatory issue, the compliance function too. 81 The following list provides examples of methods for the monitoring of an individual’s compliance with regulations and internal policies and procedures: Regular appraisal of performance by senior staff – this may range from daily contact and support/ advice provided by those in supervisor, manager or executive roles through to more formal periodic reviews. Periodic reviews may be monthly, quarterly, half-yearly or annual. Appraisals normally are interview-based with written records of areas discussed. Quality checking and assurance processes – this may take the form of manual checks by a second experienced person. This may range from checking each activity and item of work (ie, checking 100% of the individual’s work) through to checking a sample, for example 10%. Exception and error reports – automated system reports may be used to identify where non-compliance may occur. For example, if an investment manager fails to observe investment and borrowing limits, an automated report may be used to warn when a breach occurs. Testing on a periodic basis – for example, the firm may provide regular (eg, annual) training and refresher training on regulatory subjects and internal policies. These sessions will often involve testing of the individuals to ensure their compliance knowledge is satisfactory. Self-certification by the individual – a firm may require individuals to sign a declaration periodically (eg, annually) that they have read and understood the firm’s policies and procedures, for example, a declaration that the individual has read and understood the policies and procedures relating to client data protection or privacy. Audit trails – ensuring that the firm maintains adequate records to demonstrate compliance is important. Such records, whether paper- or system-based, may be used to demonstrate an individual’s compliance, as well as the firm’s. In the event that criminal activity is suspected, then a formal audit of the records may be necessary. The potential outcomes could involve the following: Training and development activities – this may involve some coaching by an experienced member of staff or it may require the individual being temporarily removed from their role while they are retrained in processes which are compliant. Internal disciplinary measures – where the individual has acted negligently or repeatedly been non-compliant, then appropriate internal disciplinary measures may be necessary. This may include the giving of a verbal or written warning and a record made on their personal file. Where the behaviour persists, suspension and/or dismissal may be necessary. External regulatory sanction – in certain cases, it may be necessary for the compliance function to notify the regulator – remember the principle of an open relationship with your regulator! It is possible that the individual may be subject to action, particularly if the breach amounted to serious market abuse; and the firm is at risk too if it failed to have appropriate controls in place or monitor what was going on. A ban and fine for the individual may be levied, quite separate from any action against the firm. Legal avenues – if the breach is related to ML, insider dealing or bribery, for example, then the regulator may take legal action for any offences committed. Clearly, if convicted of a criminal offence, the individual may face quite severe penalties; not just a fine, but a potential custodial sentence. 82 The Compliance Function 2.1.6 Business Development Learning Objective 2 2.2.9 Understand the role compliance plays in new business development: due diligence; risk assessment; scope of regulation and approval; highlighting material changes in the nature of existing relationships; assessing and reporting potential reputational risks There are five key aspects to the role compliance plays in the development of new business. These aspects are: due diligence risk assessment scope of regulation highlighting material changes in the nature of existing relationships, and assessing and reporting potential reputational risks. Where there is an independent compliance department, there tends to be an emphasis on advising the business. In particular, the role of compliance in approving new products has increased significantly and is recognised as vital to the product development process. This is an area where compliance can add value at an early stage in the product approval process and thereby help to avoid problems later on. It is common at larger firms for there to be written guidelines for new product initiatives, integrating compliance into the process. Depending on the relationship between the firm’s compliance and risk management functions, compliance will either perform or participate in a due diligence review of any new product or service that the firm wishes to introduce. The focus for compliance is to ensure that the regulatory aspects of the new service have been correctly understood and determine any impact of the new service upon the firm’s regulatory permissions or capital requirements. At a later point, compliance will need to verify marketing communications and regulatory submissions relating to the new service and may review operational readiness and system test output where the change is substantial. The wider risk assessment performed in the firm will look at the operational risks of delivering an accurate and timely service in respect of the new product and consider any potential reputational damage that the firm may suffer if problems arise. The firm will also need to ensure that the correct external relationships (eg, partners, clients and suppliers) are in place and ready to support the expanded business – in terms of volumes, capacity and complexity. 83 3. Managing Regulatory Relationships 3.1 Regulator Relationship Learning Objectives 2.3.1 Understand the relationship between the firm and regulator 2.3.2 Understand how an effective regulatory relationship can be of strategic importance to a firm: advocating opinion; involvement in consultation; drafting regulatory responses; making representations and applications; obtaining effective guidance 3.1.1 How Regulators Manage the Relationship with Authorised Firms As a general principle, regulators supervise firms according to the risks they present to the regulator’s objectives. They assess risks in terms of their impact (the scale of the effect these risks will have on consumers and the market if they were to happen) and probability (the likelihood of the particular issue occurring). As noted by the International Organization of Securities Commissions (IOSCO), supervision of market intermediaries’ conduct through inspection and surveillance helps to ensure the maintenance of high standards and the protection of investors. These preventative programmes are a necessary complement to investigation and enforcement programmes. The nature and extent of the supervisory relationship with an individual firm depend on how much of a risk the regulator considers the firm could pose. It also may take into account the risks across several firms in the sector (to provide a benchmark) or indeed the market as a whole. It may use different methods or frameworks to assess that risk, but generally it will either focus on the firm alone or as part of a sector/industry. The base level of supervisory intensity depends on impact and probability scores assigned to a firm (or group of firms) which, in turn, help to determine the nature of the relationship that the regulator has with a particular firm. Medium- and High-Impact Firms In medium- and high-impact firms, the firm may coordinate work through a relationship manager, who carries out a regular risk assessment and determines a risk mitigation programme proportionate to the risks identified. The precise volume and type of work undertaken will depend on the size and risk rating of the firm concerned. On a regular basis, the regulator will analyse a firm’s financial and other returns and check compliance with notification requirements. Breaches and other indicators of risk may be followed up by the supervisory team with the firm’s compliance function. For high-impact firms, the regulator is likely to apply a closer monitoring regime. This is essentially a planned ongoing schedule of visits to the firm to meet the firm’s directors and senior management regularly. In addition, for high-impact firms which are systemic in nature, the regulator may design specific programmes of core work to assess the biggest risks on the prudential and conduct side of the business. 84 The Compliance Function Where possible, the regulator may centralise supervision of all associated firms within a group in a single team and, when appropriate (for example, if it believes the group has an integrated management and/or control structure), produce a combined risk assessment and risk mitigation programme covering all the firms in a group. 2 Low-Impact Firms If a firm is assessed as low impact, it may not have a specific risk assessment or risk mitigation programme. These firms are monitored by a combination of base-line monitoring of financial and other returns, action in response to risks identified by this information, thematic exercises to monitor compliance standards in a sector and work as part of sector-wide reviews. Individually, most small firms pose a low risk to a regulator’s objectives. In practice this means, unlike the larger firms, they do not have regular risk assessments and are usually required to send regulatory reports less frequently. Small firms are unlikely to have an individual relationship manager. However, collectively, small firms pose a risk to a regulator’s objectives. The regulator may collect information from a variety of sources, such as regulatory returns, analyse the data to identify collective risks and, where necessary, investigate the matter further (eg, using questionnaires or targeted firm visits), and then communicate the results of the research to the industry. The aim is to change the behaviour of small firms in a way that improves standards across the industry. 3.1.2 Building the Relationship Building a good relationship with the regulator is a key role for compliance staff. An effective relationship is one that is built on mutual trust and enables open and constructive discussion to take place. Indeed, a commonly accepted principle is that a firm must deal with its regulator in an open and cooperative way and must appropriately disclose to the regulator anything of which it would reasonably expect notice. One of the valuable aspects of a good relationship is the ability of the firm’s compliance function to seek an opinion on issues that arise and discuss resolution, or perhaps seek an opinion on a planned business development. Similarly, the regulator may wish to seek firms’ opinions on a formal, or informal, basis about a regulatory issue that may be affecting the sector or industry. Obtaining effective guidance at an early stage can clearly be of strategic importance to the firm and save a great deal of time and effort. A constructive relationship with the regulator enhances the opportunity for such dialogue. Responding to consultation papers issued by the regulator allows a firm the opportunity to formally express their opinion on forthcoming regulations. It allows the firm to further provide the regulator with information about the practical implications of the proposals being made. It is common for regulators to be accountable for ensuring they understand the business impact and, in some cases, carry out cost- benefit analysis to ensure the proposals are proportionate. Such responses to consultations may be collated by trade associations, and the balance of industry opinion can be analysed and provided to the regulator. This route also allows firms to comment anonymously. However, firms may decide to respond directly as well as through any relevant trade association. When drafting such responses, it is usual to set out details of the firm, its position in the industry and its interest in the consultation being undertaken before going on to respond to the specific points raised in the consultation paper issued by the regulator. 85 3.1.3 Applications Obtaining authorisation usually requires a formal application to be made to the regulator. The following are examples of the various types of information required; in this case, for a retail financial intermediary firm: Staff organisational chart. Business plan information. Compliance procedures. Details of the firm’s professional advisers. An opening balance sheet. A forecast closing balance sheet after 12 months’ trading or first year’s trading. A monthly profit and loss account for the first years of trading. A monthly cash flow forecast. A copy of the latest annual accounts (if previously traded). A professional indemnity insurance quotation. 3.1.4 Representations Where a regulator has made a formal decision to refuse an application or proceed with enforcement, it will normally offer an appeals process for firms. The representation may be in writing, or it may be an oral representation, and will, in the normal course, be put to persons who may be independent but are appointed by the regulator for the purpose of hearing such representations. 3.1.5 Regulatory Visits Learning Objective 2.3.3 Understand what to do if your firm is the subject of a regulatory or law enforcement visit: scheduled; unscheduled (‘dawn raid’) Scheduled Visit Medium-sized, as well as selected other businesses, can expect to have scheduled visits from their regulator: periodically to undertake risk assessments, and/or as part of thematic research and investigation, perhaps involving a number of firms across the industry or sector. Larger firms can expect to receive visits for the same reasons, but they may also attend regular meetings to discuss specific areas of their business, and to maintain contact with senior management to discuss the firm’s strategy and corporate plans. In all the above routine-type visits, the firm will normally receive prior notice of the visit and may well receive a request for information to allow the regulator to carry out some desk-based analysis and prepare for the visit. Firms may also, as part of the relationship- building, proactively invite the regulator to their premises to update them on business developments, organisation structure or to present a corporate update and plans for the business over a period. 86 The Compliance Function In all these cases, it is helpful to obtain the cooperation of all relevant areas of the firm who may be involved in the visit. Planning will enable such a visit to run smoothly: prepare the agenda beforehand, book meeting rooms, arrange for relevant directors or managers to be available at the times arranged, arrange refreshments, and organise someone to take notes of the meeting(s). 2 Unscheduled Visit (‘Dawn Raid’) Regulators may undertake unscheduled visits where they have an ongoing investigation, which may involve a criminal offence such as insider dealing or ML. Countries around the world are adding challenges in the form of new laws or the renewed enforcement of existing laws. As national laws are strengthened, and international regulators cooperate on significant investigations, so the likelihood of dawn raids increases. Unscheduled Visit Procedure Raids may be carried out at dawn but are usually commenced at the start of the working day. They often take place simultaneously at various offices and homes of key individuals. A regulator seeking to enter the premises to search for evidence will usually hold a legal search warrant authorising its action. The raid will, therefore, usually be accompanied by police officers. The firm should check that the warrant is in order and ensure that the search team does not exceed the authority granted by the warrant. The warrant should specify: the date on which it was issued the legal authority by which it was issued the regulatory authority to whom it was granted each set of premises to be searched, and the type of articles, materials, or persons sought. However, the exact nature of warrants will differ between jurisdictions and on the legal basis by which they are issued. Once inside, the investigators will search through documents, records and computers. They are likely to have at least one specialist computer forensics expert in the team. The investigators are entitled to take copies of any relevant information. If information is not readily available, then the investigators can ask for it to be compiled. They may also be in possession of a search and seizure order, in which case they can also take possession of hard drives and original documents. Information or documents that fall within the terms of the warrant may be seized; however, the police may be able to seize other material (eg, incriminating material giving direct evidence of a criminal offence) even if not specified in the warrant. Legally privileged documents and those that may lead to self-incrimination do not need to be provided. Legal advice should be sought to ensure there are reasonable grounds to believe that privilege exists. The investigators must keep a record of all documents they copy and they will ask someone to sign it before they leave and, at that time, a copy should be taken for the records of the firm. 87 The warrant also entitles the investigators to interview individuals. Failure to cooperate with any aspect of the raid could be a criminal offence punishable by a prison sentence. Investigators may be willing to wait for legal representatives to arrive before they commence their search, but they are not obliged to do so. Advance Preparation It is good practice for firms to advise their employees about the possibility of dawn raids occurring and brief them on the procedure. It is important for staff to understand the scope of the information they should provide. In particular, they should be aware of the legal consequences of a failure to cooperate and of tipping off any other persons who may be involved. Firms should have in place procedures for key staff to follow in the event of a raid, including who should be notified. Consideration should also be given as to how information is stored and whether legal advice and communications should be filed separately. This is advisable in any event and in the event of a raid, it will avoid the inadvertent disclosure of privileged information. In addition, firms are advised to consider lodging copies of sensitive information with their lawyers. If asked for copies, the firm can advise the investigators that they are in safekeeping and that the solicitors will undertake to hold them pursuant to a court order. Firms should also consider whether the seizing of individual hard drives would inhibit the operation of the company or if all essential information is held on a central server. Consideration should also be given as to how the company would respond to any media interest and in relation to advising investors as to what has occurred. There should be clear internal policies as to how the company would respond if the activities of an employee or director are the focus of any investigation. General Checklist in the Event of a Raid If there is a raid on your property, whether business or residential, it is important that you do the following: Check that the warrant has been granted against your premises/abode and that it is signed, dated and sealed and that it is still in date – there will be a window of time for the investigators to make the raid. Ensure that all investigators present are named on the warrant. Exclude entry to anyone attempting to enter who is not named. Advise the investigators that you are contacting your legal adviser and will ask them to be present. Check the terms of the warrant and the scope of the information which must be provided. Brief employees as to the scope of the warrant and remember that you do not have to provide privileged legal advice and that you have the right to redact documents which have information in them which is not relevant. Cooperate by allowing access to relevant documents and information and advise anyone else involved to cooperate. Do not tip off people who may not be present that there is a raid, particularly if you believe that they may also be involved and advise other employees of the same risk. Ask investigators before you notify other offices or directors. Keep a list of all the documents copied/supplied/asked for and also any questions which are asked and the answers given. The investigators must provide a list of what they are taking. The two lists should be checked against one another before you accept and sign the investigation record of documents copied/taken. Compile a report on the raid. 88 The Compliance Function 3.1.6 Breaches Learning Objectives 2 2.3.4 Understand what to do if a regulatory breach occurs 2.3.5 Know what types of information must be disseminated to whom in the event of a regulatory breach Minor regulatory breaches need to be recorded in a breaches log and a record needs to be kept of the resolution of the breach or other action taken. The breach should be reviewed by an appropriate manager to ensure that all relevant action has been taken, including where appropriate, that compensation has been paid or that the client has been restored to their correct position. Analysis of breaches will be helpful to indicate trends and provide managers and senior managers with information to help control the business, identify any action required and consider any preventative action for the future. Any client impacted by the breach should be notified and provided with an explanation of any action taken. If the breach is a notifiable breach, ie, of a type the regulations state is reportable to the regulator, then a report should be made (normally within 24 hours of identification). The regulator may request some form of incident report and an explanation of how the breach was discovered, whether investors were at risk, and what remedial action has been taken. It will also wish to understand whether the breach is a single event or evidence of a systemic problem. It is important that relevant directors and senior managers are aware of any breach that is reportable to the regulator and ensure that the information provided accurately reflects the issue, the action already taken to rectify the position (and prevent recurrence), and any ongoing areas of activity. 3.1.7 Confidential Information Learning Objectives 2.3.6 Know what information may be disseminated and what should remain confidential if financial crime is suspected or detected 2.3.7 Know what types of information should remain confidential in the normal course of business If financial crime is suspected or detected, the person discovering the information should report the matter to the firm’s MLRO, or the police. If the MLRO, on review of the matter, believes it is suspicious, then they should make a suspicious activity report (SAR) to the appropriate law enforcement agency (LEA). Failing to report suspicions is a criminal offence. If a client is being investigated, the LEA will not usually divulge the source of the initial report, although the client may have the right to see relevant papers/reports should they request them. When an MLRO makes an SAR, individual staff names are not passed on as part of the process. Staff should not inform the client that a report is being made about them. This is regarded as tipping off. The staff member may be liable to imprisonment, a fine, or both if they were convicted of tipping off. 89 Staff may refer concerns about specific transactions or other activity to their line manager to obtain advice or guidance. However, the suspicion should still be logged and referred to the MLRO. An example of suspicion raised by staff might include the following: 1. Incident summary – a high level summary of the case, eg, the client did not pass telephone security questions. Such checks may require the client to quote letters from a password, answer a pre- advised security question (eg, providing their mother’s maiden name), or confirm their date of birth. 2. Details of the incident – details of the case, including reference to dates and amounts, as appropriate. For example: ‘The client called on 27 October 2022, they answered the full name, address and date of birth questions successfully, but they sounded male and the account holder on the system is shown as a female. The caller came through the automated valuation line and was querying the valuation; in addition the caller wanted confirmation of how to sell the investment quickly and send the proceeds to a third party. I informed the client that I could not locate an account with the information provided and that they should put their request in writing’. 3. Reason for suspicion – an explanation of what made the staff member suspicious regarding the case, eg, the voice did not sound like a female, the caller was clearly interested in selling the investment quickly and wished the proceeds to be sent to a third party. The SAR will be made to the regulator and/or an appropriate arm of the police that deals with financial crime. In the normal course of business, the authorised firm will have a duty of care to keep confidential all the client’s information, including the details of their investments or bank account. Any personal data will also be subject to relevant data protection or privacy laws. Reporting suspicious activity, therefore, involves sharing confidential information, but does not constitute a breach of client confidentiality or data protection/privacy laws in such circumstances. Such information may only be disclosed where it is necessary for a criminal investigation or in the event of tax evasion; release of the information may be subject to an appropriate court order being served on the firm. 90