Ten things compliance officers need to do in 2016

Individual accountability, personal liability and the need to manage personal regulatory risk have all grown in importance in recent years. Speeches and policy statements have now given way to new regulatory approaches. In the UK, the first phase of the Senior Managers and Certification Regime (SM&CR) will come into force for banks in March 2016, with all other sectors and levels of personnel likely to be subject to the new regime by 2018.

In the United States, the Yates Memo drew a straight line between individual accountability and corporate wrongdoing and resulted in the U.S. Attorneys’ Manual being updated in November 2015.

As a clear statement of regulatory expectations, Sally Quillian Yates, deputy attorney general at the U.S. Department of Justice, said, “One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.”

Such accountability is important for several reasons:

It deters future illegal activity

• It incentivizes changes in corporate behavior
• It ensures that the proper parties are held responsible for their actions
• It promotes the public’s confidence in our justice system

The need for better behavior by senior individuals in firms is seen as a prerequisite for a more stable and enforcement-free future.

This point was also picked up by Norman Chan, chief executive of the Hong Kong Monetary Authority, when he said in April 2015, “Regulators can set standards and provide some external checks and balances. But there is no substitute for internal governance and controls that are designed to achieve the desired behavioral change across the entire firm.”

The need to hold, and to be seen to hold, senior managers personally responsible for regulatory breaches and corporate wrongdoing needs to be handled with great care by regulators. Credible deterrence driving better risk-aware, customer-centric behavior is one thing, but it must be seen to be applied even-handedly. There has already been something of a backlash in the United States, where the perceived targeting of compliance officers now risks driving talented individuals out of the industry.

Given that regulatory personal liability is here to stay, compliance officers will need to assess what “good” looks like in terms of their own personal regulatory risk management. This can then, in turn, be used as the blueprint for everyone else. There are several benefits for compliance officers thinking through in detail how best to manage their own personal regulatory risk.

Most obviously they themselves will stay out of regulatory trouble. Other benefits include being able to advise fellow senior managers around the world on best practice. Once they have the infrastructure and protocols in place to manage their own risk, they will be able to devote more attention back to the day job of firm compliance.

Job descriptions are often only considered in any kind of detail when someone is new to their role, and even then they tend to be high-level, general and static documents. Even rarer is a systematic interlinking of all roles, job descriptions and accountabilities seamlessly covering all the business activities of a firm. One immediate area for compliance officers to consider is the need for job descriptions to become much more detailed.

It will not necessarily fall to the compliance function to “own” the need to review and document all roles, how they fit together and how the associated responsibilities are discharged, but compliance should ensure that the project is undertaken and should have significant input into the parameters, coverage and subsequent monitoring.

Anecdotally, cottage industries have emerged to help some of the larger firms pull together the required job descriptions so that they include all reporting lines, business activities, directorships, spans of control, performance metrics, compensation criteria, regulatory registrations, attestations, training, committee memberships, management information flows and project sign-offs.

One area of particular importance is when any reporting line or significant influence is extended across borders so that more than one regulatory regime’s requirements will need to be satisfied and, if need be, evidence provided to confirm that all accountabilities have been discharged.

All job descriptions must be kept up to date, and there must be complete coverage of the entire business. Some firms are considering the issue from the business activity end of the spectrum, building the accountabilities associated with each activity or function as something of a standard and then using these building blocks to create the job descriptions for those allocated responsibility. Either way, the new, much more detailed job descriptions can be used as one of the main ways to evidence the effective performance of responsibilities. As part of the daily management of the firm, senior individuals will routinely need to collect and maintain the evidence to show how they discharged all their obligations and responsibilities — an approach now hardwired into those firms that require senior managers to attest on a regular basis that they, and the businesses under their control, are compliant.

Risk and control functions need to have line of sight to all risks arising in their firm. Equally, senior individuals need to have line of sight to all activities under their management. As both recent enforcement actions and survey results have shown, there is distinct scepticism about firms’ abilities to achieve the required level of transparency regarding business activities and their associated risks.

In 2015, Thomson Reuters conducted a survey on personal liability and on line of sight, and half the respondents (49 percent) reported that senior managers “do not really know what is going on in their business.”

Enforcement actions, including the JPMorgan London Whale failings, Citigroup’s trade surveillance lapses and Barclays’ financial crime failings, have all highlighted issues where either senior managers or the risk and control functions, or indeed both, were unaware of some or all of the activities being conducted. There are two messages for compliance functions.

The first is to reinforce with senior individuals the need for compliance (and the other risk and control functions) to be kept informed of all activities. The fine imposed on Barclays in November 2015 was notable for a number of reasons, including the fact that the huge deal in question was kept, quite deliberately, outside the usual operating protocols of the firm. The compliance function was unaware of the deal and the matter, and the associated failings only came to light when the regulator discussed the deal with the firm.

It is not necessarily a bad thing if a deal (or whatever) is transacted outside the usual risk and control infrastructures, but it is essential that the firm’s policies and procedures are applied to the extent possible and that any adaptations or derogations are approved at a senior level and have compliance sign-off. In particular, any manual workarounds that take automated checks and reviews out of the equation need to be considered with caution and appropriate alternative monitoring undertaken.

Ideally, firms should have flexibility in the approach to the assessment, management, mitigation and monitoring of all risks, including those associated with financial crime. Running with agreed-upon levels of identified residual risk is normal but, as in the Barclays deal, doing business with an entire suite of potentially higher-risk clients with incomplete due diligence leaves a firm exposed to large unidentified risks. It is not just the risk that the firm may be used for financial crime but, as a result of the lack of line of sight, the risk of enforcement action against both the firm and individuals.

The other lesson for compliance functions is the need for both a stand-back approach and a strong degree of skepticism about the operation of controls and IT systems. A prime is example is that of Citigroup, where the crux of the U.S. enforcement action was the lack of required trade surveillance. Unbeknown to compliance, the automated system intended to “tag” trades that were done in restricted securities had been turned off, leaving the daily exception reports nearly worthless.

Very few firms have seamless IT systems, and more often than not, legacy systems are built on top of one another, creating ever more complex platforms. Compliance functions need to ensure they can test that critical processes are operating as required and that they have a line of sight to any assumptions, manual workarounds, incompatibilities and gaps. As many firms have found, it is discouraging to find that problems exist but infinitely worse not to know.

Conflicts of interest is a regulatory topic that has been at the center of numerous enforcement cases and that has, in the past, driven the UK regulator to require an attestation from the chief executives of asset managers that all conflicts had been identified and managed. In the United States, firms as diverse as BlackRock and Promontory have been sanctioned for conflicts of interest failings.

Conflicts of interest is seen as an important component of conduct risk, and the continued spotlight on this area should encourage all firms, regardless of jurisdiction, to review their governance and control arrangements. The need for consistently better customer outcomes is another influence on firms to check and to demonstrate that they have taken an appropriate approach to conflicts of interest.

As a first step, all compliance functions should consider including a wholesale review of conflicts of interest identification, management and mitigation as part of their monitoring plans for 2016. There are some good practice examples that firms can leverage and that could be quick wins for compliance, including the fact that the best control frameworks for the identification and management of conflicts of interest tend to be designed jointly by business and compliance functions.

Firms that take this approach often have standards that are relevant to the nature of the conflict and operationally effective and accepted by business staff. Many of these standards will also be aligned to regulatory expectations and good market practice.

Monitoring conflicts can also be more effective when conducted by both business and compliance functions. Work carried out by the UK Financial Conduct Authority (FCA) suggested that firms that relied solely on monitoring performed by the compliance department were unable to demonstrate effectively how compliance staff challenged investment and trading decisions made by senior investment professionals.

Monitoring conflicts will also be more effective when boards receive adequate management information. Examples of good practice in compliance monitoring work included looking at whether controls continued to meet their objectives and whether compliance standards used to manage conflicts reflected developments in market practices and new regulations.

Lastly, conflicts will be better managed when boards have committees dedicated to conflicts of interest management. Such governance bodies can challenge and approve conflict identification, control design work undertaken by others, define the management information they wish to receive and review the implications of materials presented to them. Issues can arise in international firms, and firms would be well advised to operate internationally to a single, high-level and transparent standard.

In some firms, recordkeeping has been neglected in terms of resources and focus from senior managers, but without consistent, easily retrievable and comprehensive recordkeeping, firms and individuals will be unable to evidence compliance with rulebooks and regulatory expectations. Good recordkeeping is even more essential in a world where firms are expected to be able to evidence compliance with inherently qualitative conduct risk requirements.

Recordkeeping should be a core competency for all financial services firms. There is no point investing in systems and controls infrastructure if part of that investment does not also enable a firm to evidence compliant activities. Compliance officers would be well advised to include rigorous testing of all aspects of recordkeeping in their monitoring programs, with a particular focus on data protection issues, cross-border access, the management of any paper records and the repeatability of data accessed from legacy systems.

In recent years, compliance functions have had to become more and more technologically aware. It is not just a question of needing to consider cyber resilience, but also the potential implications of developments such as financial technology (fintech), virtual currencies, big data and robo-advice. Compliance functions must ensure that they become and remain as up-to-date as possible with regard to technological innovations.

Automated financial advice is one area that is set to grow rapidly, with Australia reportedly one country where the first wave of robo-advice is being rolled out by both small start-ups and the established banks. These early entrants are focusing on general investment advice rather than a full-service approach, although the expectation is for the service offering to expand quickly.

Compliance functions need to be involved in every stage of any new development and to have the knowledge, skills and understanding to apply relevant rulebooks to innovative technological business plans. Robo-advice may well end up being a game changer for the asset management sector but it will only truly thrive into the medium term if firms, and critically their skilled compliance functions, can implement in practice the protocols t

Outsourcing came to the forefront for all the wrong reasons in 2015. It was a near-universal theme, with Western Union in the Republic of Ireland and R. Raphael & Sons in the UK both being sanctioned for specific outsourcing failures, while in the United States a risk alert was issued, warning of the dangers of outsourcing compliance functions. As a measure of the potential seriousness of the issue, in the case of Raphaels Bank, the UK Prudential Regulation Authority (PRA) drew a line between the outsourcing failures and financial stability.

The UK PRA is not alone among regulators in summing up its expectation that “while a firm may outsource the practical aspects of the outsourced function, it may not outsource its regulatory responsibilities as they relate to the outsourced function.”

Outsourcing is commonplace in the modern world and, done well, with sufficient in-house skilled resources to manage any outsourcing arrangements, it can be cost-effective for the firm and its customers. Done badly, it can be an expensive mistake, as the firm finds itself needing to rebuild or move, at speed, in-house skills and capacity, repair damage done to customer relations and deal with regulatory action, as well as any wider supervisory ramifications.

The golden rule for successful outsourcing is that, although activities can be moved to a different group, company or a third party, the skills to manage those activities must be retained. The rule applies equally, although perhaps less obviously, to intra-group outsourcing.

As another item to be included in outsourcing monitoring plans, compliance functions would be well advised to consider all outsourcing arrangements.

There are myriad elements to consider, including the need for upfront due diligence on the outsourcer even when it is a group company, as well as a detailed written agreement specifying all aspects of the outsourced arrangements. Monitoring can usefully ensure that the documentation remains current and matches the activities being undertaken.

The ability to physically access the offsite outsource location can be an important issue. Despite often tight travel budgets, every effort should be made to conduct an onsite visit at least annually to all major or material outsourcers, even those in the same group of companies.

Other areas for consideration include the level, timeliness and quality of the information flows, the resilience of the outsource company and the contractual right to be informed before any of the firm’s data or activity is outsourced from the outsourcer. Too many firms have found that their data has been passed on and away from their original outsourcer to numerous other entities, with all the possible loss, contagion, reputational and concentration risks that might then arise.

It might be tempting to think that suitability is simply an issue for retail firms but some wholesale firms have also been less than scrupulous in either sales to other firms or in the manufacture of retail financial services products. Suitability issues remain an international theme, with a focus on vulnerable (often senior) investors in the United States and scandals in the financial planning industry in Australia.

In the UK the FCA published the findings from its review of the suitability of retail investment portfolios provided by wealth management and private banking firms. The regulator’s December 2015 thematic review was the latest in a series of UK regulatory actions and while some firms have improved, many were found still to need to make substantial improvements in gathering, recording and regularly updating customer information to support the investment portfolios they managed for customers.

In addition, firms need to do more to ensure that the composition of the portfolios they manage truly reflects the investment needs and risk appetites of their customers, especially those who have a limited capacity for, or desire to expose themselves to the risk of, capital loss. Firms also need to ensure that their governance, monitoring and assessment arrangements are sufficient to meet their regulatory responsibilities in relation to suitability.

Suitability has been a central requirement of financial services regulation since its inception. The latest iteration has focused on good customer outcomes wrapped around the need for visibly strong positive culture and conduct risk in operation in firms worldwide.

Every mis-selling scandal has its roots in suitability failings. The wrong product sold to the wrong person has caused widespread customer detriment and has proved difficult for regulators to stamp out.

Many of the emerging suitability best practices have been codified and are to be hardwired into MiFID 2/R which, although its implementation has been delayed, is setting the benchmark for investment and other product sales to retail customers. Compliance functions could do worse than begin to consider and review their firm’s approach to, and capacity to deliver, consistent suitability. The elements which make up consistent compliance with all suitability obligations continue to evolve but there are essentials for all firms to consider, including:

Focus on the client.
Although any policies and procedures designed to ensure compliance with suitability obligations should be customer-centric, too many firms have designed procedures that suit their particular operating model rather than starting with the client and working back. Feedback from the European Securities and Markets Authority (ESMA) in particular wholly rejected firms’ complaints about some requirements being difficult and expensive to comply with: Investor protection is to be put first, with the convenience or expediency of the firm being almost totally discounted from the argument.

Firms need to invest in maintaining an up-to-date understanding of their customer. As a minimum, firms should aim to carry out an in-depth annual review of their entire advised client base with a view to assessing any changes in circumstances. Particular sensitivity needs to be exercised as clients age or become more vulnerable in other ways. Many firms, for example, have an age-based product recommendation matrix to help guide investment decisions and clearly articulated policies on powers of attorney and living wills.

The potential need to de-risk business undertaken with retail clients.
There are several aspects to this. At one end of the spectrum, some firms may choose to stop dealing with retail customers, but even if firms stop advising and distributing, the slew of obligations on manufacturers of retail investment products may well remain. Another option is to choose to sell less complex products. This was the clear suggestion in a May 2015 speech entitled “Structured Products – Complexity and Disclosure – Do Retail Investors Really Understand What They Are Buying and What the Risks Are?” given by Amy M. Starr, chief of the Office of Capital Markets Trends at the U.S. Securities and Exchange Commission.
The speech is required reading for all manufacturers and distributors of potentially complex products in the United States and gives useful insight into regulatory expectations on suitability. That said, the speech comes with a warning shot on undue complexity.
“How many retail investors cry out to their brokers or advisers that they have to buy an incredibly complex product that they don’t understand that will provide them exposure to an esoteric, customized or proprietary index that they don’t understand? I would suggest few, if any,” Starr said.

Evidence, evidence and more evidence.
As has been noted above, documentation and recordkeeping has sometimes been neglected when it comes to both IT spend and skilled compliance resources, but for suitability to be evidenced consistently, firms need to be prepared to invest in the appropriate levels of infrastructure, systems, controls, policies and procedures all regularly monitored and tested for effectiveness. Customer-facing documentation, which is the critical interface between a firm and its retail client base, needs to be prepared with care. Best practices for client documentation include:

• The capture, reiteration and express agreement of the client’s needs, demands, priorities and objectives that takes account of existing assets, liabilities and investments
• The use of clear, plain language, with any detailed technical information kept to, for example, an appendix
• An already benchmarked layout of client documentation, with best practices regarding the use of bold text and bullet points rather than long sentences, and reusing the customer’s own words
• Any client documentation tailored absolutely to the specific circumstances of the customer and a full explanation provided of why the recommendations made are both appropriate and suitable.

The changing expectations regarding product governance align with those on suitability. The aim is to improve customer protection by increasing the focus at a much earlier stage of the product life cycle. Specifically, policy makers are seeking to prevent future mis-selling due to poor product design.

The European supervisory authorities are taking coordinated action, with both ESMA (in the shape of MiFID 2/R) and the European Insurance and Occupational Pensions Authority (through its guidelines for product manufacturers and distributors) pulling together best practice that has evolved across all financial services sectors in the last few years. There is a focus on seeking to ensure good customer outcomes through enhanced product governance.

Firms have found it hard to argue with the overall customer-centric approach proposed for Europe. That said, the proposals may well require a significant investment in the redesign of policies, procedures, levels of documentation, governance arrangements and, in particular, a redesign of the detailed nature of the relationship between manufacturer and distributor.

As a first step, compliance functions may wish to review how early in the product design process they routinely get involved. If it is not at the very earliest stages, it may be worth updating any policy on product design, manufacture and distribution to ensure the compliance function is part of the process from the start, as both matter of course and as part of the sign-off procedure.

Terrorism is never far from the news headlines. The financial services industry is at the forefront of the fight against all forms of financial crime. Politicians, particularly in the wake of the recent events in Paris, have a spotlight on firms and regulators alike to be, and to be seen to be, doing everything they can to eliminate money laundering, sanctions breaches and terrorist financing.

Some firms have separate money laundering reporting officer and AML functions, while in others it falls to the compliance function to undertake the work on the prevention of financial crime. Wherever the responsibility falls, firms would be well advised to undertake a widespread review of all aspects of their approach to, and compliance with, financial crime prevention requirements.

There is ample guidance to assist firms in their work on financial crime. In September 2015, the Wolfsberg Group published FAQs on financial crime risk assessments. The Wolfsberg principles on the prevention of financial crime are not mandatory, but they are internationally recognized as a benchmark for developing regulatory good practice approaches to risk management. Firms would be well advised to use the criteria set out in the FAQ when considering their approach to their next (usually annual) review of financial crime.

More guidance came from the UK FCA in April 2015, when it published updated guidance for firms on financial crime systems and controls. Although the FCA has made it clear that the guidance is not binding, it has nevertheless sought to provide firms with an enhanced understanding of regulatory expectations and to set out steps that can be taken to reduce the risk of financial crime. The guidance also aims to help firms assess the adequacy of their financial crime systems and controls and remedy deficiencies, as well as to adopt a more effective, risk-based and outcomes-focused approach to offsetting financial crime risk. As such, some of the suggestions and practices (both good and poor) may be a useful additional resource for any firm when reviewing its approach to anti-money laundering and combating the financing of terrorism (AML/CFT).

In July 2015, the International Monetary Fund published the overarching staff report from its annual bilateral discussion with the United States. The suite of supporting publications included the Financial Sector Assessment Program technical note reviewing the U.S. approach to AML/CTF, which highlighted outstanding policy gaps and made some high-priority recommendations, including, specifically, the changes needed to the required approach to beneficial ownership.

The issue has become all the more pertinent as the U.S. AML/CFT system is being assessed by the Financial Action Task Force (FATF), which began a monitoring visit on June 1, 2015. The results will be made public in 2016. The last FATF assessment in 2006 found that the United States had implemented an AML/CFT system that was broadly in line with the international standard, with one significant omission regarding customer due diligence.

Less significant deficiencies related to the availability of ownership information about corporations and trusts, and the requirements applicable to certain designated non-financial businesses and professions. The U.S. AML/CFT legal and institutional framework has yet to address the deficiencies identified following that assessment.

In the United States, AML/CFT is also set to get personal for compliance officers. In December 2015, the New York State Department of Financial Services proposed that a senior compliance officer for each regulated institution would be required to make an annual certification as to the firm’s compliance with the transaction monitoring system requirements used to detect money laundering and terrorist financing. The intention was for there to be potential criminal penalties for the compliance officer if the certification was deemed to be “incorrect or false.”

In the summer of 2015, the European Fourth Money Laundering Directive was agreed and is scheduled to become law on June 26, 2017. The new directive also focuses on beneficial ownership as well as the shift toward a more risk-based approach, whereby firms would have to assess the risks faced and put in place appropriate resources and measures to offset them, which is where the Wolfsberg FAQ will be particularly useful.

In September 2015, the Canadian government published an assessment of inherent risks of money laundering and terrorist financing in Canada.

The report found that the large Canadian banks were “exceptionally vulnerable” to financial crime, with concerns also expressed regarding accountants and lawyers.

The report has been published ahead of the expected publication of the latest FATF visit to Canada in 2016. For Canadian financial services firms or others dealing into or with Canada, the financial crime risk assessment has taken on a heightened importance and will need to be particularly detailed to allay governmental concerns.

One other element for firms to consider as part of their financial crime risk assessment planning process is the publication by the European Council of the proposed General Data Protection Regulation, which has the twin aims of enhancing the level of personal data protection for individuals and increasing business opportunities in the European Digital Single Market.

Firms will need to understand, in detail, the implications and impact of the General Data Protection Regulation, which will apply to anyone who “resides” in the European Union, no matter where in the world they are deemed to be doing business. Nor is the regulation dependent on whether any transaction has taken place.

The links between the data protection and beneficial ownership aspects of AML/CTF are clear, and firms will need to ensure that they can identify all of their clients who are deemed to be resident in the European Union, regardless of where (geographically) they happen to be dealing with them.

A secondary part of the determination will need to be clarity as to exactly where any business is taking place, and to ensure that if it is outside the EU, either the required “adequacy” assessment or the onerous “appropriate safeguards” are in place. The potential for “fortress Europe” in terms of data protection has been turned into a reality that is likely to come into force in early 2018.