Ten things compliance officers need to do in 2014
2013 was a year of record fines, continuing swathes of global regulatory change and a further increase in the focus on the individual actions or inactions of senior managers.
2013 continued the trend from previous years, with an unremitting focus on risk, governance and compliance activities within firms.
As a result 2014 will be a year where the management of regulatory relations for both compliance officers and senior managers will need to become a core competency as never before.
All the signs are that 2014 will not provide any sort of let-up for compliance functions.
There is not a single definitive compliance check-list suitable for all firms but there are a range of consistent issues which the compliance officers of all firms, no matter which jurisdiction or sector they operate in, need to consider.
To increase the chances of a successful, enforcement-free, 2014 compliance officers should assess the following:
1. Senior managers
- Senior individuals in financial services firms around the world are vulnerable as never before. Targeting individual senior managers for sanction will become the norm for regulators
- In particular, regulators are to consider the level of a firm’s willingness to document in sufficient detail the elements which make up risk culture.
- For all culture is a regulatory expectation without a rulebook, the shifting approach does give risk-aware firms a golden opportunity to define for themselves how they will operate
- Culture has become something of a buzzword for regulators to use in speeches on the need for fundamental change in financial services firms.
- Culture is, by definition, a uniquely firm-specific phenomenon. There are no detailed rules as to what “good” looks like
- As a bare minimum senior managers and compliance officers should seek to assess the current state of culture in their firm and be prepared to use the findings from the assessment as a basis for conversation with their regulators.
- A large banks decision to launch a single standard for compliance based on the highest standards around the world remains ambitious but, if executed well, could set the benchmark for all globally significant financial institutions.
- A firm holding itself to a publicly high ethical and cultural standard will need not only to be able to live up to those standards but also to be seen to live up to those standards
3. Management information
- Compliance officers and other risk, governance and control functions need to ensure that they both advise on the quality of the management information in a firm and also ensure that the overall combined risk governance reporting to the board is effective, streamlined and facilitates the governance and risk decision-making processes.
- Supervisors should explicitly assess the accuracy and usefulness of the information provided to boards, and should consider whether the reporting was sufficient and appropriate to enable effective discharge of joint and several regulatory responsibilities.
- Boards that approve the risk appetite statement tend to have a higher level of understanding of the firm’s risk appetite than when it is ‘received’ or ‘noted
4. Data management
- Data management can sometimes seem to be outside the mainstream of compliance activities but it is set to remain a significant focus for 2014 and should be resourced accordingly.
- Data management encompasses everything from data protection and cyber-security to the use of “big data” to assess customer attitudes and behavior. In many firms the compliance function also includes the data protection officer (or equivalent).
- As firms seek to manage costs the option of outsourcing is often considered. Any firm which has outsourcing arrangements would be well-advised to include a comprehensive review in the work plan for 2014.
- The golden rule with regard to successful outsourcing is that while activities can be moved to a third party the skills to manage those activities must be retained.
- Any review undertaken on outsourced activities should as a matter of course be reported to the board as part of the firm’s overall risk reporting.
- Although good progress continues to be made, national authorities and firms must do more work to ensure effective implementation of the practices and standards and, consequently, more prudent risk-taking behavior.
- The emotive issue of remuneration and levels of compensation being seen to have driven excessive risk-taking has not gone away.
- Overstretch cannot be an excuse for compliance functions not to be involved in both the setting of policies and the monitoring and reporting on the resulting practices.
7. Learning lessons
- A key objective of regulatory communications is to inform firms of the need to take action. 2013 was a year of unprecedented fines.
- Regulators fine firms not only to punish the breaches but also to make it clear to other firms that they should not make the same mistakes.
- Compliance officers would be well-advised to include an analysis of relevant regulatory communications and any lessons learned from their regular risk reporting. This will not only give visibility to possible issues but also will enable senior managers to discuss any matters arising with the regulators.
8. Risk alignment between compliance and internal audit
- Many compliance functions will be spending much more time working with internal audit but it has long been the “poor relation” when compared with the time compliance functions have spent liaising with legal and risk functions.
- Although internal audit must retain its independence it does need to be closely aligned with the compliance and other risk functions; independence does not mean isolation. The most effective firms will be those that have audit, risk and compliance functions which speak a common language, have aligned work programs, share risk issues and communicate internally and externally on a consistent basis.
9. Conflicts of interest
- The identification and management of conflicts of interest is a core competency for all firms.
- Conflicts of interest need to be considered in relation to culture, risk reporting and the consistent delivery of good customer outcomes.
- The focus on conflicts of interest combined with the increased personal liability of senior managers highlights the need for firms to review their own approach and ensure that they can evidence, consistently, that any and all conflicts are identified and managed.
10. Product design
- Compliance functions have often been involved in the final sign-off of products but the changing regulatory environment means that their attentions need to be further upstream in the product development life-cycle.
- A common factor of many of the products sold which subsequently were a cause for concern was the sheer complexity of some of the products built. Another factor was a potentially good product sold to the wrong or inappropriate customers
- It could be considered as a form of insurance against future regulatory action for compliance functions to be involved at every stage of product concept, design, manufacture, distribution and post-sales management such as complaints handling.
Original text an overview by: Susannah Hammond
Terug naar overzicht