Unit 8: The Role of the Compliance Function PDF

# Unit 8: The role of the compliance function ## The Role of the Compliance Function * The planned activities of the various assurance teams benefit the business, and the teams understand their potential impact on day-to-day business. * The compliance function does not solely rest with the compliance function. * Accountability for GRC rests with the board and senior management. ## Summary of Responsibilities * The compliance function comprises: * Identification of compliance risks * Implementation of controls * Monitoring of those controls * Each employee is responsible for complying with the controls put in place. * Close liaison between risk management functions and compliance ensures: * Effective information flows * Minimisation of gaps and overlaps * Good levels of cooperation ## Compliance Function Responsibilities * The board must discharge its oversight function, and business units must accept responsibility for compliance with internal rules. * The compliance function must: * Educate * Advise and monitor * Assess effectiveness * Generate management information ## Key Learning Point * The process, if followed correctly, is both dynamic and perpetual. ## Developing GRC Policy and Procedures ### Important * When designing and implementing internal GRC systems it is important to determine the structure required to achieve the objectives of both the firm and the regulator in relation to compliance risk. * The structure of the compliance function should be published so that accountabilities are clear and people know who to contact. * Once the structure is in place, the compliance resources should be determined and allocated to the various tasks. ### Consider * Interaction with other control functions and business compliance roles. ## The GRC Manual * Communication of detailed compliance requirements to staff is accomplished through a variety of means including: * Training * Newsletters * Other notifications * The most important reference document is usually the GRC manual or the compliance manual. ### Think About * The structure of the manual: * Some include all compliance, risk and culture-related processes in the manual * Others limit it to key compliance controls, with detailed procedures set out in operational procedure manuals * The various manuals and procedures must document all compliance and operational procedures designed to achieve compliance across the business, ensuring that this information is accessible to all employees. * Quick and easy cross-referencing to other sections is possible using intranet-based systems. * Careful thought is still required for the communication of compliance requirements. ### Consider * Ease of updating the manual due to changes in external regulation and agreed revisions in internal procedure is fundamental if the manual is to remain an accurate and reliable reference document for the business. * The use of appropriate technology helps considerably in this regard. ## GRC Manual Content * A compliance or GRC manual serves as a comprehensive reference point for management and regulators for all the procedures with a compliance requirement that a firm has in place. * Each procedure should be cross-referenced to an applicable policy, with each of the following requirements covered in relation to each rule: * An assessment of the likelihood of a policy breach * The related compliance procedures * The identification of the person responsible for compliance with a procedure * The monitoring procedures in place * The frequency of application of monitoring procedures * The regularity with which the applicability of a policy should be reviewed * Drafting the manual helps to focus attention upon the role of the compliance function within the GRC mechanisms, and assessing the adequacy of the compliance system and framework in place within a financial services business. * A comprehensive, well considered and relevant manual demonstrates that a business has really thought about the regulatory rules and principles to which it must adhere, the risks it faces, the policies and procedures it has implemented to tackle them and the methods for testing the effectiveness of those policies and procedures. * It will then help to demonstrate to a regulator that it is serious about managing its exposure to compliance and regulatory risk. ## High-Level Systems and Controls * High-level systems and controls are designed to meet the regulatory principles that business be conducted with integrity, due skill, care and diligence, and the requirement for a firm to take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems. * Such systems include but are not limited to: * Senior management accountabilities * Systems and controls arrangements, including board/committee structure, and delegated authorities * Prescribed responsibilities for senior management (for example, for financial services in the UK this will fall within the FCA and PRA Senior Managers and Certification Regime requirements) * Risk assessment requirements in relation to specific risk categories, for example, operational, market, liquidity, HR, IT, investment and credit risks * Corporate governance arrangements * Signing authorities and financial limits * Managing conflicts of interest for directors/senior managers * 'Fit and proper' requirements for senior management * Training and competence requirements * Internal compliance arrangements * Details of the compliance structure and reporting lines * Roles and responsibilities for compliance * Who to contact; in particular, contact details for the head of compliance/compliance officer and money laundering reporting officer (MLRO) * Compliance charter and service levels * Information on the regulators, the firm's responsibilities to them, and the regulatory environment * The firm's approach to compliance: for example, a risk-based approach to compliance with regulation * Monitoring procedures * Breach reporting * Risks arising from non-compliance; for example, disciplinary action * How to escalate issues or report breaches, including 'whistle-blowing' arrangements. ## Prudential Regulatory Requirements * Usually contained in financial control manuals. * Designed to address the principle that firms must maintain adequate financial resources. ### Example * Capital adequacy requirements * Solvency/liquidity requirements or frameworks for calculating such requirements * Management of the firm's own assets/liabilities * Procedures for regulatory reporting and financial returns ## Market Conduct and Conflicts of Interest * Procedures are designed to satisfy the principle that a business must observe proper standards of market conduct and the duty to avoid allowing conflicts of interest to arise. * These procedures include: * Handling confidential and price-sensitive information * The need for insider lists (details of employees with access to privileged and sensitive information relating directly or indirectly to the firm as required under existing regulations, and information barriers, etc.) to keep information contained within the firm or within a specific part of it * Dealing restrictions, including personal account dealing procedures * Disclosure obligations in relation to personal interests in contracts or relationships with suppliers * Restrictions on gifts and hospitality, to avoid conflicts of interests ## Policies and Procedures ### Note * The policies and procedures to be documented in the GRC manual should address key topics and issues. * Compliance professionals should assess what is appropriate for inclusion for their own firm in light of the factors previously discussed. * The compliance function is responsible for maintaining the manual's accuracy, and the business units are responsible for following the policies and procedures. * Accountability for compliance remains with the board of directors. ### Policy and Procedure Distinction * Policy states what you will do and why, in brief. * Procedure - states how this will be achieved in detail. ## Promotions and Advertising * Any advertisement or promotional material for financial services must not be misleading in any way. * Scandals involving investors who feel that they have been victims of misleading advertisements or promotional material can be extremely damaging. ### Key Learning Point * It is good practice for the marketing teams, in conjunction with the compliance function, to formulate a final pre-publication checklist to be completed before any advertisements or promotional materials are either placed or issued. * The checklist should be drafted with reference to any specific advertising or promotional material regulations applicable, particularly where a compliance professional has responsibility for complying with them. ## Capital Adequacy * Ensuring there is adequate capital is the role of the financial control teams, but compliance professionals must ensure that the calculations are carried out in accordance with regulatory requirements. ## Client Assets * Procedures for the handling of client assets are vital for a number of reasons. * Protection against employee fraud * A safety barrier to protect the client if a financial services business needs additional finance (or becomes insolvent) ## Segregation and Reconciliation * Evidence of title to client assets requires that such assets can be identified separately from the assets of the financial services business itself. * This segregation is designed to ensure that in the event of failure, client money is protected and does not form part of general creditor entitlements. * In the UK, the FCA rules (contained within CASS, the Client Assets Sourcebook) require financial services businesses to ensure that assets belonging to their customers are ring-fenced from their own, and that reconciliations of client money balances are conducted regularly. ## Registration and Safe Keeping * Rules ensure that firms make arrangements for the safe keeping of any documents of title, and ensure that any registered investments are either registered in the customer's name or in the name of an eligible nominee/custodian. * Where a financial services business uses an eligible nominee/custodian (service provider), it must ensure that it has undertaken satisfactory due diligence on the service provider. * In the case of registered investments, the firm must usually ensure that the investments are properly registered. This may be in the name of: * The client * The firm itself (or an affiliated custodian/nominee) * A recognised or designated investment exchange, or * A regulated third-party custodian or nominee. * Most jurisdictions that impose client asset rules stipulate that customer investments cannot be released without correct customer authorisation. * Compliance functions must therefore ensure that robust controls, including documented procedures, are in place to prevent the firm from transferring customer investments other than upon receipt of written authority from the customer. * Where firms have physical custody of documents of title in bearer form on behalf of the customer, these must be kept separate from those belonging to the business itself. ## Complaints ### Important * Effective complaint-handling procedures show a firm's: * Commitment to its customers * Seriousness about managing its compliance risk * Complaint handling is a key component of the FCA's consumer and company conduct expectations. * Complaint handling is useful in the assessment of wider risk. * When establishing complaint-handling systems, compliance professionals should ensure that the business is not simply addressing individual complaints, but that it is also using the management information obtained from analysis of complaints effectively, to improve wider systems and controls. ## Confidentiality * Procedures should cover: * Commercial confidentiality * Customer confidentiality ## Personal Account Dealing * Restrictions and controls in relation to personal account dealing (transactions conducted for the personal benefit of those members of staff who may have access to price-sensitive information) are essential controls in the prevention of insider dealing. * These staff, and senior managers in the firm, are usually required to have all deals for themselves or their close family signed off by the compliance function and senior management. * Approval will not be given if, for example, the member of staff holds privileged insider information in relation to the proposed transaction. * A compliance function must implement and monitor procedures to control employee dealing. ### Personal Account Dealing Restrictions * As a general rule, officers and employees, whether on their own account or on behalf of any third party, must not conduct any of the following forms of transaction: * Dealing in investments of any kind in which their employer conducts regulated business, without the permission of the employer. * Dealing in investments for their own account with any of their employer's customers * Dealing in an investment with a customer whose portfolio is under the discretionary management of the employer, unless the customer is closely related to the employee and he has the consent of his employer * Dealing in a manner that may have an adverse effect on the interest of a customer. * Knowingly dealing in an investment on behalf of oneself, or any other party, in advance of dealing in accordance with a client's instructions, in a way that is likely to affect the price of the client's investment. (front running) ## Stop and Watch Lists * Financial services businesses face a conflict of interest where different business units deal in investments and are exposed to information that may affect the price of those investments. * Stop and watch lists are used to prevent or monitor trading in firms about which a financial services business may have sensitive information, which may affect those firms' share prices. * Stop lists prohibit employees from dealing in the stock of such firms either on their own account or on behalf of customers. * Watch lists do not prevent employees from trading, but serve to highlight particular stocks so that unusual trades can be identified and investigated. ## Getting All Employees to Understand the Importance of the GRC Framework ### Think About * An internal compliance framework cannot be fully effective if the business does not have an effective ethical and compliance culture. * The right culture encourages employees to 'buy in' to making the framework operate. * Employees must understand and value the importance that is attached to the conduct of ethical business practice. * This is not just because of fear of the criminal or regulatory repercussions that may occur, but also because of an appreciation of the commercial benefits that it can have for themselves, for their clients and for their employer. ## Factors Affecting the GRC Framework * All firms must operate within the limits set by their regulators. * Limits change, perhaps to reflect the way the market is developing, or perhaps in response to an event or situation that has placed either consumers or the prudent financial management of firms at risk. * Different firms may have different risk profiles depending on their appetite for risk. * Where there is pressure on businesses to reduce the risk they take, for example in consumer lending, they will respond by reviewing policies and procedures. * Such changes are made possible by the internal interactions between: * Governance * Risk * Compliance * Most regulators have devised their own form of risk based assessment framework to determine the level of attention to be paid to a particular firm. * Businesses will undergo some form of risk assessment by the regulator at the time of authorisation and periodically thereafter, depending on the risk it is perceived to present to the regulator's objectives. * The methodologies used vary but it is usual for them to include a means of: * Identifying the nature of the risks to the particular business * Assessing the probability or likelihood that a given risk will crystallise * Estimating the impact of that risk, should it crystallise, on the regulator's objectives * Determining the effectiveness of the controls put in place to manage or mitigate that risk. * Once the assessment has been completed, the regulator can determine the appropriate level of supervision and supervisory resources required for the business. * Risks identified during the assessment will usually be reported back to the firm and should immediately be incorporated into its risk and compliance plans. ## The Operating Environment * The environment in which the firm does business leads to challenges. * The operating environment includes: * The nature of the customer base, in terms of product and service requirements * The geographical spread within which the business operates * The channels through which it delivers its products and services - such as online, by telephone contact centres, by post, through a network of branch offices, through intermediaries, etc. * Competition and the effects this may have on the commercial pressures involved in competing for a market share when these conflict with the GRC requirements to be compliant. * The more diverse the operating environments are, the greater the requirement for internal coordination and control, and the need for high-level systems and controls to be more comprehensively managed increases. ### Note * Larger business operations which operate in more markets with more products and services, and using more distribution channels, will face greater challenges in this respect than those firms with a narrower focus and less diversity. ## Risk Appetite, Culture and Ethics in the Firm ### Think About * A firm's risk appetite will dictate, to a certain extent, the content of its GRC policies and procedures. * The higher the risk appetite a firm has, the greater the potential of a regulatory or compliance breach materialising. * The greater the risk appetite, the more controls and potential issues there will be to document. * The same could be argued over the culture and ethics within the firm. * If it has a strong culture of compliance and high ethical standards are promoted and demonstrated from the board and senior management levels down, then taking unacceptable risks is less likely than in one which does not have the same strong cultural and ethical identity. * This may be reflected in GRC policy and compliance manuals, where the taking of unacceptable risk is less likely than in a firm that does not have the same corporate identity. * This may be further reflected in process and procedure documents, where the taking of unacceptable risk is forbidden, and non-compliance with this instruction may even result in some form of action being taken against employees who ignore this. ## Implementing a Principles Based, Values-Led Compliance Culture ### Key Learning Point * Successful implementation of an ethical or values-led culture does not involve doing much that is new - what matters is how you do it. ### Steps to Implementing A Principles-Based Culture * Clear demonstration of the benefits to the firm of developing such a culture * Reportable progress against targets and objectives * Employee motivation and feedback * Identification and implementation of new business opportunities and revised ways of working * Having a clear medium-term strategy for the development of the system (3-5 years) * Achieving a system design that meets the firm's needs and priorities * Achieving accountability through the firm, such that it is driven from the bottom up as well as from the top down * Achieving integration into existing management processes, such that it becomes part of routine practice rather than an additional task * Reporting progress ### Problems or Obstacles * Inability to secure sustained board-level commitment * Problems with setting meaningful targets and objectives * Difficulty in assessing the value of 'intangible' benefits, such as an improvement in reputation/brand value * The need to find solutions balancing CSR and ESG issues with other factors in relation to product and service provision * Difficulties in implementing and developing appropriate CSR reporting and compliant ESG disclosures. ### Key to Implementing a Values-Led Culture * Regardless of how well thought through the above approach is, ultimately, the key to implementing the right culture rests in the ability to influence behaviour and attitudes to nurture the desired culture. * A code of conduct can be a useful means of communicating a consistent message. ## Extract: Benefits of a Code of Conduct * The website of the Institute of Business Ethics (IBE) describes the benefits of a code of conduct as follows: * A code of ethics (otherwise an ethical policy, code of conduct, statement of business practice or a set of business principles) can be a management tool for establishing and articulating the corporate values, responsibilities, obligations, and ethical ambitions of an organisation and the way it functions. * It provides guidance to employees on how to handle situations which pose a dilemma between alternative right courses of action, or when faced with pressure to consider right and wrong. * No two codes will be the same. They must reflect the concerns of the employees of the particular organisation and the context of the relationships and business environment in which it operates. ### Important * Nonetheless, it is important to recognise the limitations of a code of conduct: in itself, it is no guarantee of success. * One commentator compared it to discovering the Titanic's 'Safety at Sea' manual! ### Key Learning Point * Desired behaviours need to be constantly reinforced and rewarded so that the values for which the firm stands are visible and part of daily business life. * Likewise, those contravening the firm's ethics should be left in no doubt that their behaviour is not acceptable. ## Asking the Right Questions: How Should Firms and Regulators Go About Instilling an Ethical Culture? ### Extract: How Should Firms and Regulators Go About Instilling an Ethical Culture? * Julia Black and Karen Anderson note that events show that simply having a code of ethics in place is not enough'. * They go on to suggest the necessity of conducting a regular review of such codes, asking whether they: * Address how consumers (not just shareholders) should be protected - not as a token gesture, but in a meaningful way; * Contain clear practical guidance on day-to-day ethical questions in a consistent and rigorous manner; and * Go beyond that which is simply required to comply with the law and regulation. * Clearly, a code on its own will not dissuade financial services staff from behaviour that has a negative impact on customers and wider stakeholders. * Other suggestions have ranged from a 'Hippocratic oath' for bankers similar to that for doctors compelling them to take their actions and decisions into account with regard to the wider economy and society, to the creation of the Banking Standards Review Council (BSRC) in the UK. * Black and Anderson conclude that: * There is little doubt that ethical standards across the financial services industry have been called into significant question across all areas, from the setting of benchmarks including Libor, to sales to retail investors. * There is also little doubt that embedding ethical cultures within firms is a difficult task. * Whilst regulation has a role to play in providing deterring unethical conduct and promoting appropriate behaviour, ultimate responsibility has to lie with firms themselves, including their shareholders. * Firms need to focus on their incentives and remuneration structures to ensure that compliant and ethical conduct is rewarded, and provide clear and practical guidance on how it can be achieved. ## Example * For example the UK's FSA Discussion Paper 18 2002 suggests that the key to embedding a values-led culture is for compliance professionals to be asking different questions, in addition to applying the risk based approach they currently use. * These questions stimulate thinking about priorities and balancing ## Suggested Questions by the FSA * The FSA DP18: An Ethical Framework for Financial Services provides some suggested questions to help recognise, apply and balance values in everyday decisions and actions. * They follow values illustrated by the FSA, which have been adopted by the FCA/PRA in part or as a whole: * Open, honest, responsive and accountable * Who is left out or kept in the dark? Why? * How happy are we to be associated with our decisions/actions? * Are we listening or just hearing? * What can we learn? How do we help others to understand us? * How do we recognise and deal with conflicts of interest? * Relating to colleagues and customers fairly and with respect * Do we treat everyone as we would like to be treated? * Do we deal with people with respect and without prejudice? * How do we keep rights and obligations in balance and proportionate? * When do we hold to our commitments and resist 'fudging? * Who benefits and who loses out? Should they? * Committed to acting competently, responsibly and reliably * Do we do what we say we will do? * Under pressure do we swap co-operation for coercion? * Do we dither or delay? How is error treated? * Do people trust us? If not, why not? * Can we meet our commitments and plans? ## Embedding Values * To embed these values, the following is needed: * *Developing vision and a values-led approach* * What needs changing? What prevents change? * What is the long-term outcome? What is sustainable? * Do we sufficiently recognise and act on our stakeholder responsibilities? * How do we develop shared purpose, loyalty and fulfilment? * Do we apply ethical criteria simply to gain an advantage or because we believe we should? ### Note * These questions are just a start and firms need to produce their own questions that are suitable for their unique context. * They need to be asked every day at every level in different ways. * No one question is the key - they need to be used together and it is the intersection of lots of viewpoints that creates a strong position. ## Engaging Stakeholders * In this searching-learning approach, the widest possible engagement of stakeholders is essential. * AccountAbility produces a standard for effective stakeholder engagement - AA1000SES (2015). ## Extract: Engagement is the Key to Business Success * *Stakeholder engagement is the process used by an organisation to engage relevant stakeholders for a clear purpose to achieve accepted outcomes. It is now also recognised as a fundamental accountability mechanism, since it obliges an organisation to involve stakeholders in identifying, understanding and responding to sustainability issues and concerns, and to report, explain and be answerable to Stakeholders for decisions, actions and performance.* ### Consider * This is not an easy route and many firms have tried 'quick fixes'. * In some ways CSR policies can be used as a quick fix, and superficial 'green wash' has become devalued in some people's eyes as a way of getting good PR and not changing anything in the engine room. * Other off-the-shelf solutions include balanced scorecard measures for assessing performance that try to resolve the inherent dilemmas in this difficult area. * But this tick-box approach tends to produce 'scientifically correct solutions' that sometimes seem unworkable and counter-intuitive. Fuller, wider engagement and discussion can produce a better answer. * Some firms may also bring together their cultural approaches in a branded 'whole of company' policy, partly to help internal recognition and buy-in. * But creating lots of new committees - such as TCF committees - is rarely an effective solution. * More recently, suggestions on building culture within the workplace drew the (obvious) connections with employees' personal values that are not necessarily directly linked with their professional roles or positions. ## Extract: Build a Culture That Aligns with People's Values * These suggestions are based on the following starting point: * Candidates are seeking workplaces where they can intertwine their beliefs with those of the company, and work together on a common vision of purpose and success. ## Learning Outcomes * After completing this unit you should be able to: * Show your understanding of the role compliance training and education plays in governance, risk and compliance systems and controls * Recognise the importance of advising, guiding, and consulting with the business * Demonstrate the value of monitoring and reporting in providing the routes for assurance and escalation * Illustrate how designing and implementing systems and controls promotes the effective management of the firm. ## Tasks 1. Firms are encouraged to measure and report on key high-risk activities, or areas of the business that pose the most significant risks, on a 'traffic light' or 'RAG' basis. For an area of your business you are familiar with, draw up a dashboard which highlights the key risk areas of concern to you. * How does your version compare with those ones published by your firm? * Is there anything included in your report which you believe would add value to the ones already discussed (for example in risk committees)? * Based on the content of your own dashboard, explain how frequently you think the thresholds in the report (For the traffic light or RAG scores) should be changed, and why you think this timescale appropriate. 2. Review your firm's governance, risk and compliance manual and associated policies and procedures. Identify those which refer to: * Approved Persons/Senior Management Functions/Authorised individuals * Conflicts of interest * Your firm's approach to treating customers fairly. 3. Prepare a briefing note or contribution to your firm's intranet site which explains to all employees the critical importance of the GRC framework, and why they need to understand how it works in practice. 4. Research the conflict of interest, or gifts and hospitality, policy for your firm. Examine how either of them works in practice, and identify the steps that all employees need to take to comply with the chosen policy. 5. Identify measures that you could implement to improve the perception of strong corporate values in your organisation. Think about how you could improve employees' understanding of the benefits that can be gained from instilling better values, if you have identified any shortcomings.

Unit 8: The Role of the Compliance Function PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue