Global Financial Compliance Ed10 (1)-69-98.pdf

Full Transcript

The Compliance Function

1. International Best Practice

1.1 Systems and Controls

2
Learning Objective
2.1.1 Understand the fundamental systems and controls a firm should implement in order to
conduct its business in line with international regulatory standards

1.1.1 Organising Appropriate Systems and Controls to Ensure Compliance
Compliance is most effective in a corporate culture that emphasises standards of honesty and integrity
and in which the board of directors and the senior management lead by example. In other words,
compliance starts at the top. However, it does not stop there, and it is vital that compliance is a concern
of everyone in an organisation and should be viewed as an integral part of the firm’s everyday activities.
This also means observing the spirit, as well as the letter, of the law.

A firm needs to establish, implement and maintain adequate policies and procedures sufficient to ensure
compliance of the firm (covering its managers, employees and representatives) with its obligations
under the regulatory system in which it operates, and for countering the risk that the firm might be used
to further financial crime (including money laundering (ML)). Compliance risk, generally, is seen as the
risk of legal or regulatory sanctions, material financial loss, or loss to reputation as a result of failure to
comply with laws, regulations, rules, related self-regulatory organisation (SRO) standards, and codes of
conduct applicable to the firm’s business.

Compliance is not the responsibility of specialist compliance staff alone. It needs to be embedded within
a firm and become part of its culture. Nevertheless, a firm will be able to manage its compliance risk
more effectively if it has a compliance function in place, the organisation of which may vary between
firms. In a small firm, it may be an individual person, it may be a separate department or it may form
a discrete part of an overall risk management function. In particularly large and/or international firms,
compliance staff may be located within business lines and have group and local compliance officers;
separate units may also be established to deal with the prevention of money laundering and terrorist
financing (ML/TF).

Irrespective of the organisational structure, an effective compliance function should operate
independently, be sufficiently resourced, and have the following responsibilities:

1. To regularly assess and monitor the adequacy and effectiveness of the measures and procedures
put in place, and the actions taken to address any deficiencies in the firm’s compliance with its
obligations.
2. To advise and assist the relevant persons responsible for carrying out regulated activities to comply
with the firm’s obligations under the regulatory system.

61
The Basel Committee on Banking Supervision (BCBS) has issued a set of ten principles relating to
compliance and the compliance function. While these principles are aimed at banks, their general
approach has a much wider application for firms across the financial sector subject to regulation. The
BCBS principles can be found at www.bis.org/publ/bcbs113.pdf.

1.1.2 Responsibilities of the Board
The first of the BCBS principles is that the board of directors is responsible for overseeing the
management of the firm’s compliance risk. The board should approve the firm’s compliance policy,
including a formal document establishing a permanent and effective compliance function. At least once
a year, the board or a committee of the board should assess the extent to which the firm is managing its
compliance risk effectively.

A firm’s compliance policy will not be effective unless the board of directors promotes the values
of honesty and integrity throughout the organisation. Compliance with applicable laws, rules and
standards should be viewed as an essential means to this end. As is the case with other categories of
risk, the board is responsible for ensuring that an appropriate policy is in place to manage the firm’s
compliance risk. The board should oversee the implementation of the policy, including ensuring that
compliance issues are resolved effectively and expeditiously by senior management with the assistance
of the compliance function. The board may, of course, delegate these tasks to an appropriate board-
level committee (eg, its audit committee).

1.1.3 Responsibilities of Senior Management
The BCBS principles also set out the responsibilities of senior management who are responsible for:

the effective management of compliance risk, and
establishing and communicating a compliance policy, ensuring that it is observed and reporting to
the board of directors on the management of the firm’s compliance risk.

Therefore, senior managers are responsible for establishing a written compliance policy that contains
the basic principles to be followed by management and staff, and explains the main processes by
which compliance risks are to be identified and managed through all levels of the organisation. Clarity
and transparency may be promoted by making a distinction between general standards for all staff
members and rules that only apply to specific groups of staff.

Senior management are also responsible for ensuring that compliance policy is observed and that
appropriate remedial or disciplinary action is taken if breaches are identified. They should also identify
and assess the main compliance risk issues facing the firm (with the assistance of the compliance
function, at least once a year) and the plans to manage them. Such plans should address:

any shortfalls (policy, procedures, implementation or execution) related to how effectively existing
compliance risks have been managed, and
the need for any additional policies or procedures to deal with new compliance risks identified as a
result of the annual compliance risk assessment.

62
 The Compliance Function

Senior management should:

at least once a year, report to the board of directors or a committee of the board on the firm’s
management of its compliance risk, in such a manner as to assist board members to make an

2
informed judgement on whether the firm is managing its compliance risk effectively, and
report promptly to the board of directors, or a committee of the board, on any material compliance
failures (eg, failures that may attract a significant risk of legal or regulatory sanctions, material
financial loss, or loss to reputation).

1.2 Adequate Resources

Learning Objective
2.1.2 Understand BIS Principle 6 and the requirement for adequate resources

Principle 6 of the BCBS principles on ‘compliance and the compliance function in banks’ states:

‘The bank’s compliance function should have the resources to carry out its responsibilities effectively’.

The resources should be both sufficient and appropriate for effective management of the firm’s
compliance risk.

In particular, compliance function staff should have:

the necessary qualifications, experience and professional and personal qualities to enable them to
carry out their specific duties, and
a sound understanding of compliance laws, rules and standards and their practical impact on the
firm’s operations.

The professional skills of compliance function staff, especially with respect to keeping up to date with
developments in compliance laws, rules and standards, should be maintained through regular and
systematic education and training.

1.3 Compliance Manual and Policies

Learning Objective
2.1.3 Understand the practical applications of a formalised document of compliance policies and
procedures: compliance manual

1.3.1 Purpose of the Compliance Manual
The purpose of the compliance manual is to formally document the standards to be followed by all
employees in their personal conduct and in conducting business with customers and counterparties.

63
It also serves to expand upon compliance-related content of the company’s corporate governance
manual in relation to:

the legal and regulatory obligations of employees and contracted agents, and
the policies and procedures that apply to the business and personal conduct of employees and
agents to ensure that they comply with the laws, regulations, rules and codes that govern the firm’s
conduct of business as a regulated firm.

All managers and directors of the company are responsible for ensuring that the members of their
teams read, understand and are fully conversant with the contents. It should be remembered that this
manual is not a procedures manual, but rather provides policy and guidance. Detailed procedures are
normally produced by the various operational business areas and overseen by managers or directors
who will be responsible for ensuring that their staff know where to find such information.

1.3.2 Scope of the Compliance Manual
The compliance manual endeavours to give a high-level overview of the rules and regulations of the
regulatory bodies governing the firm’s business. For firms operating internationally, it is important to
clearly document how differing or overlapping regulatory requirements will affect operations and staff.
The compliance manual provides employees with the information required to comply with the rules
and regulations applicable to their activities. These may include relevant laws of the countries in which
the firm directly operates, or in which its clients are situated. Ignorance of the law or relevant rules and
regulations will not protect the company or its employees.

Employees are urged to consult with the compliance function if problems arise. The compliance
function normally seeks feedback from staff with a view to regular updating of the compliance manual.
It is important that it is a ‘living’ document and the compliance function needs to keep everyone
informed of significant developments arising from regulatory changes and experience throughout the
company. Many firms now use an online compliance manual with search facilities and links to online
learning modules and relevant regulatory websites.

See Appendix 1 for an example of the contents page of a compliance manual.

1.3.3 Communicating the Formal Status of the Compliance Function
The compliance function must have a formal status within the firm to give it the appropriate standing,
authority and independence. This may be set out in the firm’s compliance policy or in any other formal
document. The document should be communicated to all staff, either electronically via an intranet site
or other means. The compliance policy needs to be included in induction and other relevant training.

The compliance manual will contain the following with respect to the compliance function:

Its role and responsibilities.
Measures to ensure its independence.
Its relationship with other risk management functions within the firm and with the internal audit function.
In cases where compliance responsibilities are carried out by staff in different departments, how
these responsibilities are to be allocated among the departments.

64
 The Compliance Function

Its right to obtain access to information necessary to carry out its responsibilities, and the
corresponding duty of staff to cooperate in supplying this information.
Its right to conduct investigations of possible breaches of the compliance policy and to appoint
outside experts to perform this task if appropriate.

2
Its right to be able to freely express and disclose its findings to senior management, and if necessary,
the board of directors or a committee of the board.
Its formal reporting obligations to senior management.
Its right of direct access to the board of directors or a committee of the board.

1.4 An Effective Compliance Function

Learning Objectives
2.1.4 Understand how an effective compliance function can add value to a business
2.1.5 Know how to produce and implement an effective compliance programme

The compliance function needs to take a proactive approach to its dual responsibilities of monitoring
the business and providing advice to senior management. A well-run compliance function can be a
tremendous competitive advantage to a firm, helping to build a strong reputation and attract business.
The key purposes are to:

provide reassurance to the board and senior management that the business is operating in a
compliant manner, through regular reports, ad hoc reports and other management information
provide advice and assistance to the board directors, management and staff to help them to meet
their compliance responsibilities
identify and record good and bad practice; provide feedback on failures in controls and compliance
and provide recommendations for improvements and, where necessary, remedial action
provide analysis and early warning of regulatory change which may impact the business, and to
ensure that such change is communicated to the board and management
build a good and open relationship with the firm’s regulators to ensure they have a good
understanding of the business, the risks involved and how those risks are controlled, and to facilitate
business development where new permissions or licences are required and, where necessary,
resolve issues, and
where relevant, respond and coordinate responses to proposed legislation or regulations with a
view to achieving regulations that, while meeting the objectives, take into account the practical
implications for businesses; such responses may be direct with regulators or through trade
associations.

An effective compliance function will add value to the business. It will keep it on a compliance path,
and its involvement and advice will be sought by all levels of staff in the business. Such a function will
contribute to innovation, business development and other projects. It will be seen as a business enabler
rather than a stereotypical business-prevention unit.

The compliance function will provide senior management with information and advice on compliance
laws, rules, and standards. It will also provide guidance and education for senior management –
especially during times of substantial regulatory change or when the firm is expanding into new
product areas.

65
While these matters can be of great value when successfully deployed, it is important that the
compliance function continues to provide a thorough monitoring programme and ensure that
compliance risk is understood. The compliance officer must, therefore, be able to secure the resources
needed to deliver these goals.

The compliance function usually supports operational areas when preparing/reviewing their procedures
and policies, to ensure that underlying regulatory requirements are correctly incorporated into the
material. With this support given, the first line of defence is better equipped to prevent problems
arising, and the compliance team builds valuable engagement ahead of future monitoring activity.

The compliance function may include specific statutory roles (eg, an officer fulfilling the role of money
laundering reporting officer (MLRO)), and may liaise with relevant external bodies, including
regulators, standard setters and external experts. They may also be responsible for ensuring that
relevant regulatory returns and filings are made, for example, working with a corporate finance
department and signing off the adequacy of capital calculations, or arranging for regular reporting of
transactions, complaints, client assets and money.

Prior to new directors or senior managers taking up their responsibilities, the compliance function
staff would normally coordinate the application to regulators for approval of those individuals, where
required. Similarly, where there was any need for authorisations or variation in the permissions a firm
has, compliance function staff would complete or advise on those applications.

1.4.1 Identification, Measurement and Assessment of Compliance Risk
The compliance function proactively identifies, documents and assesses the compliance risks associated
with the firm’s business activities, including the development of new products and business practices,
the proposed establishment of new types of business or customer relationships, or material changes
in the nature of such relationships. If the firm has, for example, a new products committee, operations
committee or risk management committee, compliance function staff should be represented on such
committees.

The compliance function needs to measure compliance risk (eg, by using performance indicators) and
use such measurements to enhance compliance risk assessment. Technology can be used as a tool in
developing performance indicators by aggregating or filtering data that may be indicative of potential
compliance problems (eg, an increasing number of customer complaints, breach trends, or irregular
trading or payments activity).

The compliance function must assess the appropriateness of the firm’s compliance procedures and
guidelines, promptly follow up any identified deficiencies, and, where necessary, formulate proposals
for amendments.

1.4.2 Monitoring, Testing and Reporting
The compliance function needs to monitor and test compliance by performing sufficient and
representative compliance testing. The results of the compliance testing are reported to the head of
compliance in accordance with the firm’s internal risk management procedures. Determining what
needs to be monitored is part of developing the compliance programme.

66
 The Compliance Function

On a regular basis, the head of compliance reports to senior management on compliance matters. The
reports include the compliance risk assessment during the reporting period, including any changes
in the compliance risk profile based on relevant measurements, such as performance indicators, a
summary of any identified breaches and/or deficiencies and the corrective measures recommended

2
to address them, and a report on corrective measures already taken. The reporting format will be
commensurate with the firm’s compliance risk profile and activities.

1.5 Compliance Monitoring Programme

Learning Objectives
2.2.10 Understand the purpose of a compliance monitoring programme: risk-based; reporting;
planned
2.2.11 Understand the key considerations in developing a compliance monitoring programme
2.2.12 Understand how to conduct an effective compliance monitoring programme: working papers;
minute meetings with senior management; management responses; risk mitigation plans

The compliance programme sets out the responsibilities of the compliance function and its planned
activities such as the implementation and review of specific policies and procedures, compliance risk
assessment, compliance testing, and educating staff on compliance matters. It is the responsibility of the
head of compliance or equivalent, to ensure appropriate coverage across businesses and coordination
among risk management functions.

The purpose of the compliance monitoring programme is to provide an independent review of the
operational work performed by the firm, with a focus on two elements:

1. To confirm whether operational tasks are being performed in line with operational procedures.
2. To confirm whether operational procedures continue to reflect current regulatory requirements.

It is impractical for the compliance function to review every item of processed work – the cost of
supporting such oversight would be uneconomical – and so the compliance function must establish
a method for performing sufficient oversight to be confident that the underlying risks have been
appropriately controlled. Hence, the compliance monitoring programme must be risk based. The
programme involves the review and testing of documentation and completed work items, to identify
findings and recommendations for improvements. Specific working papers are generally used, detailing
the parameters of the testing to be performed, in order to ensure that the scope of each monitoring
review is achieved. The completed working papers also provide a clear evidential record of the review
work performed and the specific items that gave rise to findings.

While such compliance efforts should be independent of operations, it is important that senior
management of the operational area concerned, understand the findings and agree on the remedial
action to be taken. Formal reporting to senior managers in the business is a common step to ensure that
all business areas are aware of the types of issues being identified and the actions being taken to rectify
problems. In larger programmes, the compliance function produces a risk mitigation plan to provide the
board with an overall view of how compliance engagement with the operational areas is improving the
risk position of the business.

67
While firms establish their programmes in different ways, there are essentially three key stages:

Stage 1 – Information Gathering
Information is gathered on potential adverse events – such as errors that may arise in the activities
undertaken by the firm in delivering its products and services. These may include:

payments not made on time
suspicious activity not reported
failure to complete reconciliations (assets or money)
late execution of client instructions
late handling or mishandling of complaints or breaches, and
unsuitable investment advice.

(The above is an illustrative, rather than exhaustive, list.)

Stage 2 – Scoring
The events identified as part of Stage 1 are scored for financial impact, exposure and probability. In
designing the scoring method, it is necessary to decide whether each metric will be scored using
discrete values (eg, a cash value in sterling or a frequency in days) or using relative values.

Financial Impact
Financial impact reflects the magnitude of financial cost were the adverse event to crystallise, and is
usually a relative measure (eg, a ‘1’ may mean an event that could threaten the company’s continued
existence, while a ‘3’ may indicate significant operational disturbance but not have catastrophic
potential). This has benefits because actual or estimated costs vary according to:

the precise nature of the event (versus its high-level definition as per Stage 1)
the particular area or element of activity that gives rise to it, and
precise values, if the event relates to investment transactions.

Similarly, the potential financial impact of a regulatory transgression is difficult to reliably forecast.
Factors to be considered should include:

investigation costs (potentially including third-party review)
compensation costs to affected customers
legal costs in defending the company against regulatory action, and
potential regulatory fines.

A final consideration is the requirement to include the future financial impact of loss of goodwill and/or
reputation due to the event, but the near impossibility of attributing any particular value or amount.

Consequently, financial impact is generally scored according to a set of relative impact ratings (eg, a
scale from ‘high’ to ‘low’).

The head of financial management, for example, the finance director or financial controller, will often
assist by scoring individual events per area, providing experience of the level of past costs, and offering
an informed assessment of likely impact were an event to occur.

68
 The Compliance Function

Exposure Frequency Score
Exposure means how often the activity occurs that could give rise to the adverse event. This can, for
example, be implemented using a conversion table that provides a value approximating to the number
of occurrences expected/evidenced in a single year. Given the number of business days in a year, a value

2
of 250 might be adopted as indicating a ‘daily’ event. From that starting point, you might build the
following conversion table:

500 – Real-time
250 – Daily
50 – Weekly
10 – Monthly
4 – Quarterly
2 – Half-yearly
1 – Annually
0.5 – Infrequently
0.1 – Rarely

When deciding these values, the firm should ensure that the scoring model is appropriately balanced (to
prevent certain types of events being given disproportionate attention, while other types of concerns
do not sufficiently emerge). For example, the ‘real-time’ score needs to balance the following:

Certain activities may occur twice in the working day (eg, work item batching or the receipt of postal
deliveries), matching a score of 500.
Setting a number greater than 500 increases the potential that the model could exaggerate the
effect of an event.

While these scores are largely a matter of fact, care must be taken to ensure the scoring system does
not incorrectly exaggerate or underplay events such as ‘infrequent, with extreme financial impact’ and
‘real-time events having little financial impact’. Use of an ‘additional probability weight field‘ may be
appropriate, or the use of ‘volume’ rather than ‘frequency’ might be preferable for some activities.

Probability Weight
The probability of the adverse event actually occurring must then be determined, taking into account
the strength of procedures and controls within the area. This may be expressed as the ‘probability of
the risk crystallising’, known as a ‘PORC’ factor, which reflects the annualised likelihood of an event
occurring given the management controls that are in place. For example:

Low – 70%

Care must be taken when considering scores of 0% (an impossible event) or 100% (an inevitable
event). Some scoring systems are designed not to recognise such scores, while others will permit
them in certain circumstances. The initial assessment is based on consideration by compliance, audit
and operations management of the findings from past and recent examinations or assessments, the
incidence of breaches and complaints, and the extent of manual processes. Trends and proportions are
more important considerations than absolute numbers, which, in any event, must be reviewed regularly.

69
Stage 3 – Weightings
The above variables represent the risk identified by the business. However, the compliance officer
may need to use additional variables in order to determine the priority subjects for inclusion in the
monitoring programme. Such weighting of priorities can be affected by the following variables:

Anxiety weighting – what is currently worrying the compliance officer about industry/regulator-
expressed concerns – perhaps the regulator is undertaking a thematic review on market timing or
the care and protection given to client assets and money.
Perspective – whereas the gathering of information has been largely based on past experience of
adverse events, here it is appropriate to consider future volumes of business, propose new areas and
the implications for existing operations.
Days since last tested – activities may be considered low risk, perhaps because of low value impact,
or because the controls are considered so strong that it is unlikely that the activity would naturally
come to the top as a result of the risk factors considered so far. In such cases, using a weighting
based on the time elapsed since the activity was last reviewed, ie, that increases as the time-span
gets longer, means that eventually the activity will come to the top of the list and be included in the
monitoring schedule.

Some firms prefer using a plan which is fixed at one point in the year, and then, following that plan for
12 months. A more dynamic approach is to aim to complete the review of all activities over, for example,
an 18-month period, but run the risk assessment on a quarterly basis to focus each quarter’s work on
the most pressing activities; this also allows for any incidents or regulator concerns to be proactively
incorporated into the programme.

1.6 Integration of Regulatory Requirements

Learning Objective
2.1.6 Understand how regulatory requirements should be integrated into operating systems,
policies and procedures

It is important for a firm to ensure that the operational processes and procedures it employs deliver
the outcomes required by regulation. It is also important that the firm establishes controls to ensure
that implementation of new processes and procedures – including changes to associated IT systems
– are performed based on a sound understanding of those regulatory requirements. The regulatory
requirements must be integrated within the firm’s processes.

Successful integration of regulatory requirements and the maintenance of compliant systems,
procedures and controls require the concerted effort of the whole business and the people who make
up the board of directors, management and staff of the firm.

As with most compliance-related issues, integration starts from the top and depends heavily on the
culture of the firm. The board and individual directors must consider whether they have the appropriate
organisation and controls to ensure that regulatory requirements are integrated and compliance is
embedded in the ethos of the firm. They should periodically review their high-level governance policies
and procedures.

70
 The Compliance Function

People – the requirement is to establish an appropriate recruitment programme and hire staff with
the right skills, knowledge and experience relating to the business. This includes setting out the
required competencies, qualifications, experience expected and testing of candidates to ensure
they have the appropriate skills and knowledge required.

2
Allocation of responsibilities – the use of a written job description is a useful guide for
individuals and should include, at a high level, their regulatory responsibilities. This might include a
responsibility for managers to train their staff in financial crime prevention, information security and
treating customers fairly (TCF).
Training – comprehensive training programmes should be in place, ranging from induction
courses, on-the-job training, specialist sessions on regulatory areas and a requirement to undertake
continuing professional development (CPD), including appropriate professional examinations,
with access to regulatory updates or bulletins produced by the compliance function and industry
updates. A minimum number of CPD hours should be set. Periodic training assessments and needs
analysis should be undertaken which use information from a regular appraisal of staff or personal
development reviews.
Procedures – written procedures need to be in place for all areas of the business which provide
guidance for staff on how to perform activities and incorporate compliance processes. In some
firms, they will map the procedures and processes to the relevant regulations and rulebooks. These
procedures should be reviewed and signed off periodically by the local management as compliant.
The compliance function will check samples of these procedures as part of their monitoring
assignments to ensure the validation process is being followed. The compliance function will have
procedures for its own activities.
Systems – the design of operational systems should incorporate all the relevant regulatory
requirements. These should be documented in business requirements, system requirements or
specification documents and be included as part of a robust system and user testing scripts. While
the business areas should specify their requirements, the compliance function will often be called
upon to provide advice and guidance on new procedures and significant changes to regulations.
Again, the regulatory effectiveness of systems and the controls will be included in the sample
checks performed by compliance staff during their monitoring assignments.

1.7 Regulations, Internal Policies and Procedures

Learning Objective
2.1.7 Know the difference between regulations, internal policies and procedures

Regulations, internal policies and procedures are all important to a firm’s governance, though each has
a distinct purpose and origin. Regulations are provided by governments and regulatory bodies to give
clear minimum rules by which businesses can operate. Regulations might be rules-based or principles-
based. Internal policies are created within each firm to guide staff and management in respect of the
core principles by which the firm will achieve compliance and explain the main processes to be followed.
Policies go further than regulations and, for example, set internal codes of conduct with requirements
that go beyond what is required by regulation. Procedures provide the detailed guidance on the action
to be taken by management and staff.

71
Internal policies and procedures reflect the firm’s interpretation of the regulations. The regulations
may offer flexibility and, therefore, different firms may adopt different approaches. Once again, it is
important that the compliance function is involved in reviewing policies to ensure the interpretation is
valid. In some cases, an opinion from external consultants or legal experts may be beneficial.

While regulations, internal policies and procedures serve distinct purposes, conflicts between these
items can arise – particularly in respect of international businesses. Conflicts may arise between the
local regulations in one jurisdiction and the corporate internal policies and procedures handed down
from head office. It is important to identify any such conflicts that arise, and to ensure that regulatory
requirements are satisfied in the resolution.

1.8 Regulatory Implications of Business Strategies

Learning Objective
2.1.8 Understand the potential regulatory implications of business strategies: outsourcing and
oversight; capital requirements; variation of permissions; control framework

1.8.1 Outsourcing and Oversight
Many firms take a strategic decision to concentrate on certain core activities and to outsource other
activities and support functions to specialist suppliers. For example, a global asset manager operating
collective investment funds may decide that it wants to concentrate on management of the investment
portfolios, but outsource all the activities to do with fund accounting, pricing and investor record-
keeping.

Generally, regulations permit firms to outsource the tasks associated with regulated activities – though
the firm retains regulatory responsibility for those tasks outsourced. This means that supervisory or
enforcement action could be taken against the firm if the outsource service provider fails to deliver a
compliant operation. Typically, when outsourcing a material task, the firm needs to advise its regulator
in advance. In some countries, regulatory approval is required before outsourcing, and in some cases,
outsourcing of specific tasks may not be permitted, or a geographic limitation may be applied with a
view to protecting investors.

When outsourcing, a regulator will expect the firm to:

undertake appropriate due diligence of the service provider
retain sufficient expertise to undertake oversight of the outsource service provider, to ensure the
service is compliant and ensure that access to relevant information is provided to both the firm and
the regulator
have a written contract with the service provider together with a clear service level agreement and
establish key performance indicators, and
have agreed with the service provider plans for business continuity and disaster recovery, including
periodic testing of any applicable back-up facilities.

A more detailed checklist for outsourcing is provided in Appendix 2.

72
 The Compliance Function

The European Banking Authority (EBA) has issued guidelines on outsourcing, which came into force
on 30 September 2019. They contain specific provisions for the governance frameworks in relation
to outsourced activities of financial institutions, as well as the related supervisory expectations and
processes. The guidelines specifically state that the financial institution’s management remains

2
responsible for all of their activities including those that are outsourced.

The institution must have sufficient resources available to appropriately support and ensure the
performance of their responsibilities, including overseeing all risk and management of the outsourcing
arrangements. Outsourcing must not lead to a situation in which an institution becomes an ‘empty shell’
that lacks the substance to remain authorised. When the service provider to which operations have been
outsourced is based outside of the EU, they still need to comply with EU rules and regulations if they
provide services to financial institutions based in the EU.

In the US, however, outsourcing by financial institutions is not subject to any regulations.

1.8.2 Capital Requirements
The financial crisis has led to a strengthening of capital requirements and standards by regulators in
many parts of the world. Models for firms to use in calculating capital adequacy (ie, the appropriate
amount of capital a firm should maintain) have become increasingly complex. Examples of international
capital adequacy approaches include the Bank for International Settlements (BIS) Basel II and III Accords
for banks, and the EU’s Solvency II Directive aimed at harmonising capital requirements across the
insurance industry in the EU.

Typically, the regulations and standards set out how to determine the appropriate levels of capital
adequacy given the types of business and levels of risk the business or assets held may represent. Two
approaches are commonly used:

The use of a standard formula for calculating the minimum capital requirements. Depending on the
risk-weighted assets of the firm, the minimum capital requirement may fluctuate. In simple terms,
this means the higher the risk, the greater the capital requirement.
The use of internal models to determine the risk reflecting the firm’s own risk and solvency
assessment. These internal models should better reflect the firm’s risk profile than the adoption of
a standard formula. It may be lower than the capital adequacy requirement based on a standard
formula but equally, it may be higher. The models will need to be approved by the regulator, and are
subject to robust governance.

It is important that the business incorporates its regulatory reporting requirements for capital within its
overall strategy and operations. Retail banking will have a different risk profile to investment banking,
for example. The mix of business chosen and the risk appetite of the institution as set by the board will
have significant implications for capital adequacy and overall regulatory requirements.

Any plans to change the business strategy of the firm should, therefore, take into consideration any
implications for the firm’s capital requirements. A business expansion that might appear profitable
could be undermined if it would require the firm to substantially increase its level of regulatory capital.

73
1.8.3 Variation of Permission (VOP)
One of the ways in which a regulator controls the risks to its objectives is to limit the regulated activities
a firm may undertake. A firm must ensure it holds the relevant permissions for the business it undertakes,
and will also want to ensure it does not hold excess authorisations. The broader its permissions, the
greater the regulatory obligations.

Forward planning is, however, essential for business development purposes and the regulatory implications.
Early involvement of the compliance function will be required if the firm plans to move into new areas of
business, either in terms of an extension of current activities or to diversify into entirely new activities. In many
jurisdictions, the process to amend authorisation is known as a variation of permission (VOP).

The firm typically advises the regulator at an early stage of the firm’s plans and confirms the requirements
for varying the firm’s authorised permissions. In the event of a minor variation, the application for
approval typically requires minimal documentation to be submitted. For minor variations, the approval
process usually takes only a limited amount of time, and can be as little as two to eight weeks.

For major variations, such as an entirely new area of activity, more evidence will need to be provided,
including a detailed overview of the firm’s expertise in the new activity, the risk assessments undertaken
and the detailed business plan. In such cases, the lead time for obtaining regulatory approval can be
lengthy and take up to a year.

Regulators may provide a service level target for processing such applications which are designed to
give the regulator ample time to consider the application.

1.8.4 Control Framework
A key part of the business strategy is understanding the key risks the business will face and how those risks
will be managed. Risks can be mitigated, eliminated, or accepted. Assessment of the risks associated with
any change in business strategy, together with an understanding of the need to control those risks, is vital
to ensuring that the firm is prepared to expand its business activities or adopt some other change in overall
strategy. While change can be positive in realising growth for a company, the compliance officer must ensure
that the regulatory consequences of change have been understood and appropriate plans put in place.

1.8.5 Preparing Compliance Reports

Learning Objectives
2.1.9 Know how to prepare an effective compliance report for management
2.1.10 Know what basic information compliance officers should have access to

There is no prescribed layout for compliance reports, and firms will take differing approaches. Some firms
prefer narrative styles, while others might use a recognisable corporate template to ensure consistency
across the various reviews performed (such as the example shown in Appendix 3).

74
 The Compliance Function

Regardless of the format, the following needs to be taken into consideration:

Initial steps:
The title page and meeting corporate style/standards.

2
Designing a template that meets your needs.
The introduction and contents pages.

Report scope, parameters and people:
The purpose of the (monitoring) review and report.
Compliance ‘project’ reports – summary and objectives.
Acknowledging key personnel.
Any ‘points to be noted’.

Significant pages:
Contents: subject areas considered and reviewed.
The executive summary.
Report findings and recommendations.

The right of reply:
Incorporating management responses.

Issuing the report and document version control:
Recording, retention and revisiting.

Access to Information and Personnel
The compliance function needs to be able to communicate with any staff member and obtain access
to any records or files necessary to enable them to carry out their responsibilities. They need to be able
to independently carry out their responsibilities in all departments of the firm in which compliance risk
exists. They should have the right to conduct investigations of possible breaches of the compliance
policy and to request assistance from specialists within the firm (eg, legal or internal audit) or engage
outside specialists to perform this task if appropriate.

The compliance function should be free to report any irregularities or possible breaches disclosed by its
investigations to senior management, without fear of retaliation or disfavour from management or other
staff members. Although its normal reporting line should be to senior management, the compliance
function needs to have direct access to the board of directors or a board committee, bypassing normal
reporting lines when necessary. Further, it may be useful for the board or a committee of the board
to meet with the head of compliance at least annually, as this will help the board or board committee
to assess the extent to which the firm is managing its compliance risk effectively. In larger firms, the
compliance function will be directly represented on the board with the appointment of a compliance
director who may serve as the chief compliance officer for the company and its subsidiaries.

Examples of the types of records compliance typically access for monitoring purposes fall into three
main categories. They are:

basic
periodic, and
non-essential.

75
Basic Records
Customer applications/instructions.
Suitability/appropriateness test records.
Contract notes.
Transaction records.
Telephone recordings.
Customer correspondence (written and electronic).
Accounts – customer, bank.
Customer asset and money reconciliations, trust letters.
Marketing materials.
Complaints and breach of regulation records.
Suspicious activity reports (SARs).
Court of Protection.
Court orders.
Marriage certificates.
Probate.
Powers of attorney (POAs).
Death certificates.
Anti-money laundering (AML) documents.
Scanning.
Tax vouchers.
Tax-related reports/returns.
Policies.
Procedures.
Distribution records.
Cheque processing.
Risk assessments.
Control reports.
Checklists.

Periodic Records
Prospectus and instruments of constitution.
Staff records for recruitment, fit and proper tests, references, credit checks.
Training and CPD.
Statements issued to customers.
Report and accounts.
Knowledge base.
Websites.

Non-Essential
Supplier invoices.
Management accounts – forecasts/projections.
Adviser/client agreements.

76
 The Compliance Function

2. The Role of the Compliance Function within a Firm

2.1 Responsibilities and Accountabilities of Management

2
and Staff

Learning Objective
2.2.1 Understand the responsibilities and accountabilities of management and staff for compliance
with regulations

Regulators expect the executive management of a firm to ensure that their responsibility for the running
of the firm is clear. When it comes to daily ‘business as usual’ activity, all staff and management of a firm
must, together, ensure that it remains compliant with the regulations.

Operational processes must follow the prescribed procedures to ensure that the right outcomes
are achieved. Any concerns staff might have regarding the accuracy of those procedures should be
escalated for consideration by management. Staff and management must ensure that the training
provided to each person remains current and suited to their role, and that any regulatory training
obligations are satisfied (such as obligations for AML training). While firms will often make such matters
part of the firm’s code of conduct, enabling it to take disciplinary action against staff where relevant, it
is important to recognise that failings in these areas could give rise to regulatory concerns as well as HR
issues. The code of conduct is the firm’s documented expectations of how its staff and management will
act in respect of share dealing, engagement with clients and suppliers, and various other matters.

2.1.1 Understand How to Monitor whether a Business is in Compliance
with Regulations and Internal Policies and Procedures

Learning Objective
2.2.2 Understand how to monitor whether a business is in compliance with regulations and internal
policies and procedures

The common methods used to monitor compliance are:

interviewing relevant staff, management and directors
observing the processes in action and seeing evidence of the controls being operated
testing statistically-based samples of transactions, either in situ or by desk-based review. It is
particularly helpful if compliance staff have direct read-only access to relevant systems such that they
can take their own samples and do not have to rely on operational staff for providing the material
reviewing previous reports, audit reports and other key management information such as key
performance indicators, breach and complaint trends, and
reviewing specific system-produced transaction reports for the compliance function.

77
2.1.2 Risks of Non-Compliance

Learning Objective
2.2.3 Understand the risks associated with non-compliance for firms and the financial services sector

It is generally accepted that no firm can at all times remain fully compliant with all regulatory
requirements. Manual processes are open to error; human beings will make mistakes; fully automated
processes can be vulnerable if system problems arise. While any firm may, at times, experience a
breach of regulation, it is important that the firm appreciates the significance of such breaches and the
potential consequences that could follow. Ultimately, a regulator will have the power to sanction a firm
as well as its executive management in the event that the firm fails to uphold the standards expected.
It is, therefore, important for the firm to distinguish between isolated failings and situations indicating
that a systemic problem exists.

One example of an isolated breach would be where a transaction is misfiled through human error, such
that the transaction is delayed and the investor may receive a worse price on their deal. It is important
that the firm rectifies such cases. Root cause investigations are a valuable control to confirm that the
human error was not caused by a poorly designed process or badly written procedure. Any root cause
identified by the firm should be promptly addressed to prevent continued breaches.

The chief risk faced by a firm is that its regulator will take action if it becomes concerned by the level
or type of breaches arising, or that the firm is failing to address the fundamental causes of problems.
Where the regulator believes the firm’s clients are being put at risk, or where it considers the firm is not
responding appropriately to the regulator’s expectations, the regulator may impose a fine on the firm.
Such fines are often made public, which could undermine client confidence in the firm. In some cases,
the regulator might also take action against the senior management of the business; those individuals
who were personally responsible to the regulator for ensuring the business would be well run.

Aside from the specific cost of any regulatory action taken, the firm is likely to incur substantial additional
expense in managing a period of regulatory investigation. Firms under regulatory investigation will
often retain external support to help their investigations and build a defensive case – all of which has
implications for the firm’s profitability.

In extreme cases, the regulator has the power to revoke authorisation, effectively preventing the firm or
individual from continuing in business. The regulator must seek to ensure that overall confidence in the
financial sector as a whole is maintained, and doing so requires strong action to be taken against those
who have failed to operate at the required standards.

78
 The Compliance Function

2.1.3 Independence of the Compliance Function

Learning Objectives

2
2.2.4 Understand BIS Principle 5 relating to the independence of the compliance function and senior
management accountability
2.2.5 Understand the relationship between compliance and other departments, including ‘three lines
of defence’

Principle 5 of the BCBS’ principles for compliance and the compliance function in banks states that the
compliance function should be independent.

The concept of independence does not mean that the compliance function cannot work closely
with management and staff in the various business units. Indeed, a cooperative working relationship
between compliance function and business units should help to identify and manage compliance risks
at an early stage.

The concept of independence involves four related elements:

Compliance should have a formal status within the firm.
There should be a group compliance officer or head of compliance.
Their responsibilities within the firm should not lead to conflicts of interest.
They should have access to information and personnel.

The independence of the head of compliance and any other staff having compliance responsibilities
may be undermined if they are placed in a position where there is a real or potential conflict between
their compliance responsibilities and their other responsibilities. It is the preference of the BCBS that
compliance function staff perform only compliance responsibilities. The BCBS recognises, however,
that this may not be practicable in smaller banks, smaller business units or in local subsidiaries. In
these cases, therefore, compliance function staff may perform non-compliance tasks, providing that
potential conflicts of interest are avoided. The independence of compliance function staff may also be
undermined if their remuneration is related to the financial performance of the business line for which
they exercise compliance responsibilities. However, remuneration related to the financial performance
of the bank as a whole should generally be acceptable.

Most firms apply the three lines of defence approach or a recognisable variation of it. The first line
is operational controls – such as a ‘quality check’ performed on transactions inputted on the firm’s
systems to reduce the risk of a processing error. Due to the nature of operational activities, such first-line
checks are usually performed only a short period after the initial operational activity so that problem
scenarios can be avoided.

Compliance usually provides the second line of defence; the compliance monitoring programme
discussed above enables sample-based review of the operational tasks performed to validate the
specific performance achieved and to reflect upon whether any improvements might be made to better
secure the operational processes against risk.

79
Finally, the third line of defence is generally delivered by the firm’s internal audit function.

The three lines of defence are complementary, each performing its control responsibilities independent
of the other lines. The frequency of review may reduce as you progress through the lines of defence, but
the depth of critical analysis increases in order to ensure the firm’s processes are mitigating risks to the
optimal level (given budgets and other organisational limits).

The three lines of defence are a clear and consistent organisational and operational structure, including
decision-making powers, reporting and functional links and segregation of duties which are clearly
defined, transparent, consistent, complete and free from conflicts of interest.

2.1.4 Compliance Role in Training and Competence

Learning Objective
2.2.6 Understand the role compliance has in training and maintaining competence and awareness:
educating staff on compliance issues; acting as a contact point for compliance queries from
staff members; providing written guidance to staff

The role of compliance in training largely covers in three main areas:

1. Educating staff on compliance issues.
2. Acting as a point of contact for compliance queries from staff members.
3. Providing written guidance to staff.

Educating Staff on Compliance Issues
Education of staff on compliance matters may be completed in a number of different ways, depending
on the size and approach of the firm.

If there is a learning and development department responsible for delivering training, then they are
likely to be responsible for induction courses and periodic regulatory courses such as those relating to
financial crime prevention. The role of compliance is to review the training material and provide advice
on updating it to reflect any changes in regulations.

Special workshops or training sessions may be required to be prepared and possibly delivered by
compliance staff on specific areas of regulation, such as anti-bribery legislation or new product
regulation. They may also provide sessions in groups or individually for directors and senior management
who are approved by the regulator; this would be to cover the senior management responsibilities so
far as compliance is concerned.

Acting as a Point of Contact
Providing a compliance helpdesk/helpline can be a valuable educational tool. This would deal with day-
to-day queries arising from the business where line managers have not been able to answer the query.
This can then highlight any areas of the firm and activities where there may be a lack of knowledge and
the need for more formal training or guidance to be given. The provision of online facilities with the
compliance function producing an FAQ (frequently asked questions) guide can be useful.

80
 The Compliance Function

Providing Written Guidance to Staff
The compliance department must understand the specific regulations applicable to the business,
though most areas of the business simply need to ensure that the work they undertake remains in line
with the regulatory requirements. As such, the compliance team will need to provide a range of updates

2
and documentation to support the business areas in maintaining the necessary standards and ensuring
that any projects to implement regulatory changes are accurately defined.

There will always be a need for compliance to respond to queries that arise from business-as-usual (BAU)
events. In order to remain efficient, and to avoid any systemic concerns from developing, the compliance
team should periodically consider whether the BAU questions it has received indicate any underlying
concern in a given part of the business. Again, maintaining open and supportive relationships with the
business is important for giving compliance visibility of potential concerns.

Depending on the specific activities of the firm, the compliance team may maintain a formal ‘house
view’ of how certain regulations are to be interpreted or applied. Any change to those rules will require
the compliance function to update its material and communicate any consequences with the business
areas affected. The compliance team might provide periodic internal updates to summarise regulatory
themes or specific matters of interest, providing a ‘call to action’ for the firm to ensure that it is strongly
positioned on a matter of regulatory interest.

For firms with a smaller compliance department, these materials might be gained from participation
in industry events or trade association discussions. The key point is that the compliance function must
ensure it provides guidance to staff in respect of regulatory obligations.

As part of their monitoring programme, the compliance function will review the training and
competence policies of the firm and test the record-keeping relating to those staff in approved or
supervisory roles. This is to ensure that the training plans and CPD have been completed and, where
relevant, that the supervisor or senior manager has assessed the individuals as competent to undertake
their role.

2.1.5 Non-Compliance by Individuals

Learning Objectives
2.2.7 Understand how to monitor an individual’s compliance with regulations and internal policies
and procedures
2.2.8 Understand the range of potential outcomes to remedy non-compliance by an individual
within a firm: training and development activities; internal disciplinary measures; external
regulatory sanction; legal avenues

The directors and management of a firm have responsibility for the day-to-day managing of staff
and providing feedback on any issues arising from an individual’s performance. Quality checking and
assurance processes should be designed to identify non-compliance. If the matter is serious, then it may
be necessary for management to involve the HR or personnel department; if there is a regulatory issue,
the compliance function too.

81
The following list provides examples of methods for the monitoring of an individual’s compliance with
regulations and internal policies and procedures:

Regular appraisal of performance by senior staff – this may range from daily contact and support/
advice provided by those in supervisor, manager or executive roles through to more formal periodic
reviews. Periodic reviews may be monthly, quarterly, half-yearly or annual. Appraisals normally are
interview-based with written records of areas discussed.
Quality checking and assurance processes – this may take the form of manual checks by a second
experienced person. This may range from checking each activity and item of work (ie, checking
100% of the individual’s work) through to checking a sample, for example 10%.
Exception and error reports – automated system reports may be used to identify where
non-compliance may occur. For example, if an investment manager fails to observe investment and
borrowing limits, an automated report may be used to warn when a breach occurs.
Testing on a periodic basis – for example, the firm may provide regular (eg, annual) training and
refresher training on regulatory subjects and internal policies. These sessions will often involve
testing of the individuals to ensure their compliance knowledge is satisfactory.
Self-certification by the individual – a firm may require individuals to sign a declaration
periodically (eg, annually) that they have read and understood the firm’s policies and procedures,
for example, a declaration that the individual has read and understood the policies and procedures
relating to client data protection or privacy.
Audit trails – ensuring that the firm maintains adequate records to demonstrate compliance
is important. Such records, whether paper- or system-based, may be used to demonstrate an
individual’s compliance, as well as the firm’s. In the event that criminal activity is suspected, then a
formal audit of the records may be necessary.

The potential outcomes could involve the following:

Training and development activities – this may involve some coaching by an experienced
member of staff or it may require the individual being temporarily removed from their role while
they are retrained in processes which are compliant.
Internal disciplinary measures – where the individual has acted negligently or repeatedly been
non-compliant, then appropriate internal disciplinary measures may be necessary. This may include
the giving of a verbal or written warning and a record made on their personal file. Where the
behaviour persists, suspension and/or dismissal may be necessary.
External regulatory sanction – in certain cases, it may be necessary for the compliance function
to notify the regulator – remember the principle of an open relationship with your regulator! It is
possible that the individual may be subject to action, particularly if the breach amounted to serious
market abuse; and the firm is at risk too if it failed to have appropriate controls in place or monitor
what was going on. A ban and fine for the individual may be levied, quite separate from any action
against the firm.
Legal avenues – if the breach is related to ML, insider dealing or bribery, for example, then the
regulator may take legal action for any offences committed. Clearly, if convicted of a criminal
offence, the individual may face quite severe penalties; not just a fine, but a potential custodial
sentence.

82
 The Compliance Function

2.1.6 Business Development

Learning Objective

2
2.2.9 Understand the role compliance plays in new business development: due diligence; risk
assessment; scope of regulation and approval; highlighting material changes in the nature of
existing relationships; assessing and reporting potential reputational risks

There are five key aspects to the role compliance plays in the development of new business. These
aspects are:

due diligence
risk assessment
scope of regulation
highlighting material changes in the nature of existing relationships, and
assessing and reporting potential reputational risks.

Where there is an independent compliance department, there tends to be an emphasis on advising the
business. In particular, the role of compliance in approving new products has increased significantly and
is recognised as vital to the product development process. This is an area where compliance can add
value at an early stage in the product approval process and thereby help to avoid problems later on.
It is common at larger firms for there to be written guidelines for new product initiatives, integrating
compliance into the process.

Depending on the relationship between the firm’s compliance and risk management functions,
compliance will either perform or participate in a due diligence review of any new product or service
that the firm wishes to introduce. The focus for compliance is to ensure that the regulatory aspects of
the new service have been correctly understood and determine any impact of the new service upon the
firm’s regulatory permissions or capital requirements. At a later point, compliance will need to verify
marketing communications and regulatory submissions relating to the new service and may review
operational readiness and system test output where the change is substantial.

The wider risk assessment performed in the firm will look at the operational risks of delivering an
accurate and timely service in respect of the new product and consider any potential reputational
damage that the firm may suffer if problems arise. The firm will also need to ensure that the correct
external relationships (eg, partners, clients and suppliers) are in place and ready to support the
expanded business – in terms of volumes, capacity and complexity.

83
 3. Managing Regulatory Relationships

3.1 Regulator Relationship

Learning Objectives
2.3.1 Understand the relationship between the firm and regulator
2.3.2 Understand how an effective regulatory relationship can be of strategic importance to a firm:
advocating opinion; involvement in consultation; drafting regulatory responses; making
representations and applications; obtaining effective guidance

3.1.1 How Regulators Manage the Relationship with Authorised Firms
As a general principle, regulators supervise firms according to the risks they present to the regulator’s
objectives. They assess risks in terms of their impact (the scale of the effect these risks will have on consumers
and the market if they were to happen) and probability (the likelihood of the particular issue occurring).

As noted by the International Organization of Securities Commissions (IOSCO), supervision of market
intermediaries’ conduct through inspection and surveillance helps to ensure the maintenance of high
standards and the protection of investors. These preventative programmes are a necessary complement
to investigation and enforcement programmes. The nature and extent of the supervisory relationship
with an individual firm depend on how much of a risk the regulator considers the firm could pose. It also
may take into account the risks across several firms in the sector (to provide a benchmark) or indeed the
market as a whole. It may use different methods or frameworks to assess that risk, but generally it will
either focus on the firm alone or as part of a sector/industry.

The base level of supervisory intensity depends on impact and probability scores assigned to a firm (or
group of firms) which, in turn, help to determine the nature of the relationship that the regulator has
with a particular firm.

Medium- and High-Impact Firms
In medium- and high-impact firms, the firm may coordinate work through a relationship manager, who
carries out a regular risk assessment and determines a risk mitigation programme proportionate to the
risks identified. The precise volume and type of work undertaken will depend on the size and risk rating
of the firm concerned.

On a regular basis, the regulator will analyse a firm’s financial and other returns and check compliance
with notification requirements. Breaches and other indicators of risk may be followed up by the
supervisory team with the firm’s compliance function.

For high-impact firms, the regulator is likely to apply a closer monitoring regime. This is essentially a
planned ongoing schedule of visits to the firm to meet the firm’s directors and senior management
regularly. In addition, for high-impact firms which are systemic in nature, the regulator may design specific
programmes of core work to assess the biggest risks on the prudential and conduct side of the business.

84
 The Compliance Function

Where possible, the regulator may centralise supervision of all associated firms within a group in a
single team and, when appropriate (for example, if it believes the group has an integrated management
and/or control structure), produce a combined risk assessment and risk mitigation programme covering
all the firms in a group.

2
Low-Impact Firms
If a firm is assessed as low impact, it may not have a specific risk assessment or risk mitigation
programme. These firms are monitored by a combination of base-line monitoring of financial and
other returns, action in response to risks identified by this information, thematic exercises to monitor
compliance standards in a sector and work as part of sector-wide reviews.

Individually, most small firms pose a low risk to a regulator’s objectives. In practice this means, unlike
the larger firms, they do not have regular risk assessments and are usually required to send regulatory
reports less frequently. Small firms are unlikely to have an individual relationship manager.

However, collectively, small firms pose a risk to a regulator’s objectives. The regulator may collect
information from a variety of sources, such as regulatory returns, analyse the data to identify collective
risks and, where necessary, investigate the matter further (eg, using questionnaires or targeted firm
visits), and then communicate the results of the research to the industry. The aim is to change the
behaviour of small firms in a way that improves standards across the industry.

3.1.2 Building the Relationship
Building a good relationship with the regulator is a key role for compliance staff. An effective relationship
is one that is built on mutual trust and enables open and constructive discussion to take place. Indeed, a
commonly accepted principle is that a firm must deal with its regulator in an open and cooperative way
and must appropriately disclose to the regulator anything of which it would reasonably expect notice.
One of the valuable aspects of a good relationship is the ability of the firm’s compliance function to seek
an opinion on issues that arise and discuss resolution, or perhaps seek an opinion on a planned business
development. Similarly, the regulator may wish to seek firms’ opinions on a formal, or informal, basis
about a regulatory issue that may be affecting the sector or industry.

Obtaining effective guidance at an early stage can clearly be of strategic importance to the firm and save
a great deal of time and effort. A constructive relationship with the regulator enhances the opportunity
for such dialogue.

Responding to consultation papers issued by the regulator allows a firm the opportunity to formally
express their opinion on forthcoming regulations. It allows the firm to further provide the regulator with
information about the practical implications of the proposals being made. It is common for regulators
to be accountable for ensuring they understand the business impact and, in some cases, carry out cost-
benefit analysis to ensure the proposals are proportionate.

Such responses to consultations may be collated by trade associations, and the balance of industry
opinion can be analysed and provided to the regulator. This route also allows firms to comment
anonymously. However, firms may decide to respond directly as well as through any relevant trade
association. When drafting such responses, it is usual to set out details of the firm, its position in the
industry and its interest in the consultation being undertaken before going on to respond to the specific
points raised in the consultation paper issued by the regulator.

85
3.1.3 Applications
Obtaining authorisation usually requires a formal application to be made to the regulator. The following
are examples of the various types of information required; in this case, for a retail financial intermediary
firm:

Staff organisational chart.
Business plan information.
Compliance procedures.
Details of the firm’s professional advisers.
An opening balance sheet.
A forecast closing balance sheet after 12 months’ trading or first year’s trading.
A monthly profit and loss account for the first years of trading.
A monthly cash flow forecast.
A copy of the latest annual accounts (if previously traded).
A professional indemnity insurance quotation.

3.1.4 Representations
Where a regulator has made a formal decision to refuse an application or proceed with enforcement, it
will normally offer an appeals process for firms. The representation may be in writing, or it may be an
oral representation, and will, in the normal course, be put to persons who may be independent but are
appointed by the regulator for the purpose of hearing such representations.

3.1.5 Regulatory Visits

Learning Objective
2.3.3 Understand what to do if your firm is the subject of a regulatory or law enforcement visit:
scheduled; unscheduled (‘dawn raid’)

Scheduled Visit
Medium-sized, as well as selected other businesses, can expect to have scheduled visits from their
regulator:

periodically to undertake risk assessments, and/or
as part of thematic research and investigation, perhaps involving a number of firms across the
industry or sector.

Larger firms can expect to receive visits for the same reasons, but they may also attend regular meetings
to discuss specific areas of their business, and to maintain contact with senior management to discuss
the firm’s strategy and corporate plans. In all the above routine-type visits, the firm will normally receive
prior notice of the visit and may well receive a request for information to allow the regulator to carry
out some desk-based analysis and prepare for the visit. Firms may also, as part of the relationship-
building, proactively invite the regulator to their premises to update them on business developments,
organisation structure or to present a corporate update and plans for the business over a period.

86
 The Compliance Function

In all these cases, it is helpful to obtain the cooperation of all relevant areas of the firm who may be
involved in the visit. Planning will enable such a visit to run smoothly: prepare the agenda beforehand,
book meeting rooms, arrange for relevant directors or managers to be available at the times arranged,
arrange refreshments, and organise someone to take notes of the meeting(s).

2
Unscheduled Visit (‘Dawn Raid’)
Regulators may undertake unscheduled visits where they have an ongoing investigation, which
may involve a criminal offence such as insider dealing or ML. Countries around the world are adding
challenges in the form of new laws or the renewed enforcement of existing laws. As national laws are
strengthened, and international regulators cooperate on significant investigations, so the likelihood of
dawn raids increases.

Unscheduled Visit Procedure
Raids may be carried out at dawn but are usually commenced at the start of the working day. They often
take place simultaneously at various offices and homes of key individuals.

A regulator seeking to enter the premises to search for evidence will usually hold a legal search warrant
authorising its action. The raid will, therefore, usually be accompanied by police officers. The firm
should check that the warrant is in order and ensure that the search team does not exceed the authority
granted by the warrant.

The warrant should specify:

the date on which it was issued
the legal authority by which it was issued
the regulatory authority to whom it was granted
each set of premises to be searched, and
the type of articles, materials, or persons sought.

However, the exact nature of warrants will differ between jurisdictions and on the legal basis by which
they are issued.

Once inside, the investigators will search through documents, records and computers.

They are likely to have at least one specialist computer forensics expert in the team. The investigators
are entitled to take copies of any relevant information. If information is not readily available, then the
investigators can ask for it to be compiled. They may also be in possession of a search and seizure order,
in which case they can also take possession of hard drives and original documents. Information or
documents that fall within the terms of the warrant may be seized; however, the police may be able to
seize other material (eg, incriminating material giving direct evidence of a criminal offence) even if not
specified in the warrant.

Legally privileged documents and those that may lead to self-incrimination do not need to be provided.
Legal advice should be sought to ensure there are reasonable grounds to believe that privilege exists. The
investigators must keep a record of all documents they copy and they will ask someone to sign it before
they leave and, at that time, a copy should be taken for the records of the firm.

87
The warrant also entitles the investigators to interview individuals. Failure to cooperate with any aspect
of the raid could be a criminal offence punishable by a prison sentence.

Investigators may be willing to wait for legal representatives to arrive before they commence their
search, but they are not obliged to do so.

Advance Preparation
It is good practice for firms to advise their employees about the possibility of dawn raids occurring and
brief them on the procedure. It is important for staff to understand the scope of the information they
should provide. In particular, they should be aware of the legal consequences of a failure to cooperate
and of tipping off any other persons who may be involved. Firms should have in place procedures for
key staff to follow in the event of a raid, including who should be notified.

Consideration should also be given as to how information is stored and whether legal advice and
communications should be filed separately. This is advisable in any event and in the event of a raid, it
will avoid the inadvertent disclosure of privileged information. In addition, firms are advised to consider
lodging copies of sensitive information with their lawyers. If asked for copies, the firm can advise the
investigators that they are in safekeeping and that the solicitors will undertake to hold them pursuant
to a court order.

Firms should also consider whether the seizing of individual hard drives would inhibit the operation of
the company or if all essential information is held on a central server. Consideration should also be given
as to how the company would respond to any media interest and in relation to advising investors as to
what has occurred. There should be clear internal policies as to how the company would respond if the
activities of an employee or director are the focus of any investigation.

General Checklist in the Event of a Raid
If there is a raid on your property, whether business or residential, it is important that you do the following:

Check that the warrant has been granted against your premises/abode and that it is signed, dated
and sealed and that it is still in date – there will be a window of time for the investigators to make
the raid. Ensure that all investigators present are named on the warrant. Exclude entry to anyone
attempting to enter who is not named.
Advise the investigators that you are contacting your legal adviser and will ask them to be present.
Check the terms of the warrant and the scope of the information which must be provided. Brief employees
as to the scope of the warrant and remember that you do not have to provide privileged legal advice and
that you have the right to redact documents which have information in them which is not relevant.
Cooperate by allowing access to relevant documents and information and advise anyone else
involved to cooperate.
Do not tip off people who may not be present that there is a raid, particularly if you believe that they
may also be involved and advise other employees of the same risk. Ask investigators before you
notify other offices or directors.
Keep a list of all the documents copied/supplied/asked for and also any questions which are asked
and the answers given. The investigators must provide a list of what they are taking. The two lists
should be checked against one another before you accept and sign the investigation record of
documents copied/taken.
Compile a report on the raid.

88
 The Compliance Function

3.1.6 Breaches

Learning Objectives

2
2.3.4 Understand what to do if a regulatory breach occurs
2.3.5 Know what types of information must be disseminated to whom in the event of a regulatory
breach

Minor regulatory breaches need to be recorded in a breaches log and a record needs to be kept of
the resolution of the breach or other action taken. The breach should be reviewed by an appropriate
manager to ensure that all relevant action has been taken, including where appropriate, that
compensation has been paid or that the client has been restored to their correct position.

Analysis of breaches will be helpful to indicate trends and provide managers and senior managers with
information to help control the business, identify any action required and consider any preventative
action for the future. Any client impacted by the breach should be notified and provided with an
explanation of any action taken.

If the breach is a notifiable breach, ie, of a type the regulations state is reportable to the regulator, then
a report should be made (normally within 24 hours of identification). The regulator may request some
form of incident report and an explanation of how the breach was discovered, whether investors were
at risk, and what remedial action has been taken. It will also wish to understand whether the breach
is a single event or evidence of a systemic problem. It is important that relevant directors and senior
managers are aware of any breach that is reportable to the regulator and ensure that the information
provided accurately reflects the issue, the action already taken to rectify the position (and prevent
recurrence), and any ongoing areas of activity.

3.1.7 Confidential Information

Learning Objectives
2.3.6 Know what information may be disseminated and what should remain confidential if financial
crime is suspected or detected
2.3.7 Know what types of information should remain confidential in the normal course of business

If financial crime is suspected or detected, the person discovering the information should report the
matter to the firm’s MLRO, or the police. If the MLRO, on review of the matter, believes it is suspicious,
then they should make a suspicious activity report (SAR) to the appropriate law enforcement agency
(LEA). Failing to report suspicions is a criminal offence.

If a client is being investigated, the LEA will not usually divulge the source of the initial report, although
the client may have the right to see relevant papers/reports should they request them. When an MLRO
makes an SAR, individual staff names are not passed on as part of the process. Staff should not inform
the client that a report is being made about them. This is regarded as tipping off. The staff member may
be liable to imprisonment, a fine, or both if they were convicted of tipping off.

89
Staff may refer concerns about specific transactions or other activity to their line manager to obtain
advice or guidance. However, the suspicion should still be logged and referred to the MLRO.

An example of suspicion raised by staff might include the following:

1. Incident summary – a high level summary of the case, eg, the client did not pass telephone security
questions. Such checks may require the client to quote letters from a password, answer a pre-
advised security question (eg, providing their mother’s maiden name), or confirm their date of birth.
2. Details of the incident – details of the case, including reference to dates and amounts, as
appropriate. For example:

‘The client called on 27 October 2022, they answered the full name, address and date of birth
questions successfully, but they sounded male and the account holder on the system is shown as
a female. The caller came through the automated valuation line and was querying the valuation;
in addition the caller wanted confirmation of how to sell the investment quickly and send
the proceeds to a third party. I informed the client that I could not locate an account with the
information provided and that they should put their request in writing’.

3. Reason for suspicion – an explanation of what made the staff member suspicious regarding
the case, eg, the voice did not sound like a female, the caller was clearly interested in selling the
investment quickly and wished the proceeds to be sent to a third party.

The SAR will be made to the regulator and/or an appropriate arm of the police that deals with financial
crime.

In the normal course of business, the authorised firm will have a duty of care to keep confidential all
the client’s information, including the details of their investments or bank account. Any personal data
will also be subject to relevant data protection or privacy laws. Reporting suspicious activity, therefore,
involves sharing confidential information, but does not constitute a breach of client confidentiality or
data protection/privacy laws in such circumstances.

Such information may only be disclosed where it is necessary for a criminal investigation or in the event of
tax evasion; release of the information may be subject to an appropriate court order being served on the firm.

90