Ten things compliance officers need to do in 2018

Compliance officers are used to having to up-skill those around them to deal with evolving regulatory expectations and rulebook changes. They are perhaps less used to assessing their own skill sets and the combined skills of their teams. The need for compliance officers to be polymaths has only grown in the last few years.

Andrew J Donohue, then chief of staff at the U.S. Securities and Exchange Commission (SEC), made the point when he said: “Years ago, the skills and expertise required of the compliance area and its personnel were fairly straightforward. You had to develop a basic expertise in the laws and regulations that affect your business. Back then, compliance comprised of lawyers, accountants and auditors, and some operational staff. In the future, I envision that the necessary expertise for compliance will consist of a far broader set of subjects, including expertise in technology, operations, market risk and auditing, to name but a few. Even now, compliance personnel need to have a solid understanding of these areas, but I envision the role becoming even more demanding such that a CCO will truly need to be a jack of all trades with access to a wide array of skill sets”.

Risk and compliance officers should take a step back, look at the in-house skills in their functions and undertake a skills assessment specifically tailored to the nature of the current and planned future business activities of the firm. Some gaps identified may need to be filled by targeted recruitment, while others could be filled by expert training.

All training must be captured and recorded, with any absences from training activities followed up and completed in a timely manner. Specifically, training needs to be seen as an investment as well as a way for individuals (senior or otherwise) to identify, manage and mitigate personal regulatory risks.

Personal liability for compliance officers remains a concern. The Thomson Reuters Cost of Compliance 2017 report showed 48 percent of respondents expected the personal liability of compliance professionals would increase in the coming year. This is down from 60 percent in 2016 but it is only the rate of increase which has declined, with compliance officers still concerned about the enhanced potential for personal liability.

The United States, the UK, Canada, Hong Kong and Australia have all made policy moves to drive both personal accountability and the need for better behavior by senior individuals, compliance officers included. An exacerbating factor is seen as the emergence of culture and conduct risk as an international regulatory theme. The Thomson Reuters report on Culture and Conduct Risk 2017 showed 73 percent of respondents said they expected the regulatory focus on culture and conduct risk to increase the personal liability of senior managers.

The figure increased to 87 percent in the global systemically important financial institution population. This is combined with the Financial Stability Board (FSB)’s policy focus on remediating persistent misconduct through, at least in part, its links to incentives and remuneration.
Compliance officers could do worse than look at the UK’s approach under the SMR with its assessments of fitness and propriety, the need for comprehensive job descriptions and an overarching duty of responsibility for senior individuals.

As Mark Steward, enforcement director at the Financial Conduct Authority (FCA), said: “The key difference under the senior managers regime is that specific senior management responsibilities have now been mapped to identify individuals within firms, with statements of responsibility which make it clear what each senior manager, in fact, has responsibility for.”

Personal liability is here to stay and compliance officers need to assess for themselves what “good” looks like in terms of their own regulatory risk management, which in turn, can be used as the blueprint for everyone else. There are several benefits for compliance officers who think through in detail how best to manage their own personal regulatory risk. They will have a better chance of staying out of trouble themselves and be more able to advise fellow senior managers on best practice. Once they have the infrastructure and protocols in place to manage their own risk, they will be able to devote more attention to overseeing the firm’s compliance.

The financial services industry was built on firms’ ability to identify and manage conflicts of interest. Nascent financial services firms would not have been entrusted with potential clients’ money and assets if they could not be trusted to manage conflicts of interest. Small firms would not have grown into the international conglomerates without having developed a reputation for looking after their clients, at least in part, through the diligent management of conflicts of interest.

Large parts of the existing rulebooks, which run to thousands of pages around the world, are devoted to seeking to ensure conflicts of interest between client and firm do not damage the client. An inherent part of the “good customer outcomes” required by regulators is that firms must put the interests of their clients at the centre of business strategy. The shifting regulatory expectations regarding culture and conduct risk are again focused on driving firms toward treating their customers, and their customers, interests, fairly.

Too many of the recent major regulatory breaches have involved firms either ignoring or mis-managing conflicts of interest, and regulators are clamping down hard on any mismanagement. In the UK, for instance, the FCA asked the chief executives of asset managers to sign a personal attestation to state that all conflicts of interest were being managed appropriately. In November 2017, the Hong Kong Monetary Authority and the Securities and Futures Commission published the results of a joint review on managing conflicts of interest in financial groups. The review found a number of concerns regarding management supervision, controls and monitoring mechanisms.


Other deficiencies were found where the control functions, including compliance and internal audit, did not appear to cover the identification of actual or potential conflicts of interest arising from the sale of in-house products and execution of orders where intermediaries and/or their related entities were the only counterparties selected. Some intermediaries failed to provide training to equip staff with adequate knowledge about managing conflicts of interest arising from the sale of in-house products.

Policy has also been revamped. The new Markets in Financial Instruments Directive, applicable to all investment activities in the EU, contains wide-ranging investor protection measures. Some of the specific detail for conflicts of interest is set out in the MiFID II (Organisational Requirements and Operating Conditions for Investment Firms) Regulation 2017.

The improvements to the existing framework include a number of additional safeguards:

• Who consented: the name of the individual, or other identifier such as online user name or session ID.
  
• When they consented: a copy of a dated document, or online records that include a time stamp; or, for oral consent, a note of the time and date which was made at the time of the conversation.
  
• What they were told at the time: a master copy of the document or data capture form containing the consent statement in use at that time, along with any separate privacy policy, including version numbers and dates matching the date consent was given. If consent was given orally, records should include a copy of the script used at that time.
  
• How they consented: for written consent, a copy of the relevant document or data capture form. If consent was given online, records should include the data submitted as well as a time stamp to link it to the relevant version of the data capture form. If consent was given orally, firms should keep a note of this made at the time of the conversation; this need not be a full record of the conversation.
  
• Whether they have withdrawn consent: and if so, when.
  

A first step for compliance officers would be to assess if the firm is able to identify whether or where it is doing business with EU citizens. If the firm is found to be subject to the GDPR they should undertake a gap analysis between the existing approach to data protection and that required under the GDPR. Any substantive gaps found should then be remediated as soon as possible.

The oversight of employees’ personal account (PA) trading is the bane of many of a compliance officer’s life. Trading for one’s own personal account is a frequent activity among employees of financial services firms. The regulatory focus on conflicts of interest, market integrity (market abuse and insider trading specifically), personal liability as well as financial crime has all sharpened the need for an enhanced compliance approach to PA dealing.

In theory there is nothing wrong with allowing individuals who have market knowledge to use their expertise for personal gain but how, or if, PA dealing is permitted needs to be balanced against the associated management and compliance issues. In the first instance, firms may wish to make it clear that employees’ PA dealing must not unduly impinge on their work for, and their obligations to, the firm.

Firms would be well-advised to implement stringent procedures to enable them to detect and monitor any conflicts of interest which can arise as a result of allowing employees to trade for their own account.

They should also seek to limit any potential for insider trading or market abuse which could result in not only personal liability for the individual concerned but also enforcement action and/or reputational damage for the firm. For this reason some firms have chosen to require employees not to trade for their own account and to limit them to discretionary, third-party, fund management arrangements.

Firms may also wish to consider the personal finance issues which can arise if an employee trades beyond their financial means and circumstances, and which may have a direct effect on the employee’s ability to perform his or her role. Although this is not necessarily a regulatory requirement, investigating an employee’s personal financial circumstances is an issue that a firm’s senior management team might wish to address.

All aspects of financial services now come with an overlay of conduct risk and culture expectations. It is insufficient for a firm to obey the black and white of the rulebook. Both firms and their senior managers now need to be able to evidence that they have done the right things, in the right ways and have ensured consistently good customer outcomes.

Compliance officers would be well-advised to review the policy and procedures associated with PA dealing. They may wish to check that the compliance manual appropriately reflects a wide definition of “employee”. Using contractors, sub-contractors or outsourced arrangements to undertake work, particularly in the IT and finance areas, is a common feature in many firms.

In circumstances where there is a high turnover of contract and temporary staff, the compliance department may wish to work closely with HR to ensure all new temporary employees are made aware of, and are subject to, the firm’s PA dealing procedures and reporting requirements.

Firms may also wish to perform an annual reaffirmation of their PA dealing rules to remind staff of the requirements and to provide an audit trail of the reminder.

Product governance has come to the fore in several different ways. There has been concern about products such as binary options, cryptocurrencies and initial coin offerings, and regulators have focused on protecting retail customers from the potential losses. Some have chosen to ban certain products while others are seeking to regulate more closely those perceived as particularly unsuitable for retail investors.

On a wider scale, evolving good and better practice has been codified into the guidance which will sit alongside the Insurance Distribution Directive (due to come into effect in February 2018).

The guidance, which is also relevant outside Europe and more widely than just the insurance market, covers product oversight and governance arrangements for manufacturers and distributors of products. Its main thrust is the need to protect consumers more effectively by increasing the regulatory focus at a much earlier stage of the product lifecycle. It also seeks to prevent miss-selling due to poor product design.

An important element of the guidance is the concept of a target market for products. It recommends manufacturers include in their product oversight and governance arrangements suitable steps to identify the relevant target market of a product.

The manufacturer should only design, and bring to the market through identified distribution channels, products with features which are aligned with the interests, objectives and characteristics of the target market.

When deciding whether or not a product is aligned with the interests, objectives and characteristics of a particular target market, the manufacturer should consider the level of information available to the target market and the degree of financial capability and literacy of the target market.

The manufacturer should also identify groups of customers with whose interests the product is considered unlikely to be aligned: in effect, the creation of a negative target market to which the product should not be sold.

Despite numerous fines and regulatory changes, anti-money laundering (and ultimate beneficial ownership in particular) has remained a priority and headline-grabber. In 2016, the news was full of the Mossack Fonseca Panama Papers; in 2017, it was the Paradise Papers which attracted media attention.

In Europe, the Fourth Money Laundering Directive took effect in June 2017 with changes to beneficial ownership, customer due diligence, the risk-based approach and politically exposed persons.

The Fifth Money Laundering Directive is already under discussion, with revisions likely to address:

• ensuring a high level of safeguards for financial flows from high-risk third countries;
  
• enhancing the powers of EU financial intelligence units and facilitating their cooperation;
  
• ensuring centralized national bank and payment account registers or central data retrieval systems in all member states;
  
• tackling terrorist financing risks linked to virtual currencies; and
  
• tackling risks linked to anonymous pre-paid instruments (e.g., pre-paid cards).
  

With regard to the persistent question of ultimate beneficial ownership, much of the policy is driven by the Financial Action Task Force (FATF), whose recommendations are the internationally endorsed standards against money laundering and terrorist financing. FATF visits jurisdictions and produces public reports on compliance with its recommendations. The UK, China, Hong Kong, Russia, the United Arab Emirates, Japan and New Zealand all have visits scheduled in the next couple of years.

As part of their firms’ overall approach to risk management, compliance officers may wish to consider conducting pre-emptive widespread reviews of their approach to, and ability to evidence compliance with, all aspects of AML/CTF, bribery, corruption, fraud prevention and sanctions requirements. Firms should undertake specific regular financial crime risk assessments which are judgment-based and aim to highlight risk areas. They should determine how well the risks are being managed, and provide the basis for a risk-based allocation of resources to the highest risk areas as well as providing the basis for remedial and other risk mitigation plans.

Financial services firms still come under investigation too frequently. Regulators have not hesitated to impose large fines and a range of other sanctions where breaches have been discovered. There is a wealth of advice for compliance functions facing the direct potential for enforcement. The need for action when another part of the group has come under scrutiny is perhaps less clear.

This is not a theoretical exercise as regulators regularly communicate and share information cross-border and international firms should do the same to help manage the overall risks to the wider firm.

There are considerable benefits in anticipating the potential impact of a regulatory investigation anywhere in a financial services group and putting plans in place to enable all parts of the group to deal with it. If nothing else, this should ensure other parts of the group do not compound any regulatory issues.

Issues can and do occur and this needs to be part of any plan to manage regulatory interactions, to ensure a line of sight to all regulatory expectations and allow where possible the positive management of investigations.

Regulatory relationship plans need to be tailored to the firm’s business activities. One of the many lessons from the Libor market failings is firms would be wise to include all activities in the plan and not just those that are directly regulated.

Senior individuals need to be able to discuss relevant regulatory issues with the regulator, and to understand the likely impact on the firm and its customers. Anyone meeting with or speaking to the regulator should be expected to make, maintain and share comprehensive notes of the discussion and should keep a record of any documents or other information exchanged.

Any requests or expectations stated by the regulator should be noted and as a matter of best practice confirmed in writing to ensure clarity of understanding. Any possibility of an investigation or other regulatory scrutiny should be documented in detail and shared internally as soon as possible.

All information provided to the regulator must be accurate and able to be substantiated, and all actions and timescales agreed must be met and reported on both internally and externally. A useful benefit of an international regulatory relationship plan will be the development of a group-wide database of regulatory interactions enabling compliance to spot trends, ensure a uniformity of information flows and enable pre-emptive briefings on emerging issues.

One area often missed when compiling the elements of a regulatory relationship plan is that of regulatory approvals and registrations. It can be a bureaucratic, resource-hungry process but it needs constant maintenance, and in a large international firm it may well need significant investment. Firms may wish to ask certain regulators for a full list of all registered persons and licenses held to check that the records at the firm and the regulator can be reconciled; regulators have been known to fail to update their own records even if they have been informed of changes.

It is far better for both the individual and the firm to be active in undertaking such checks rather than discrepancies coming to light, for example as part of an intrusive supervisory visit and there being, say, a mismatch of understanding as to which senior manager is registered where, and responsible for what.

The focus on fintech, regtech and cyber resilience continues to gather momentum. Discussions on the adoption and regulation of fintech and the impact of potential disruption not only for firms, but also potentially for financial stability, have risen to the top of supervisory agendas

The FSB, which operates under the aegis of the G20, is continuing its work to identify and address emerging risks to financial stability, including fintech. The concern about the potential threat posed by fintech in no way undermines the potential myriad benefits.

The second Thomson Reuters report on fintech, regtech and the role of compliance in 2017 considered the challenges for firms, ranging from the need to have the appropriate skill sets at all levels of the business, to the ability to evaluate possible regtech, fintech or insurtech solutions.

All of which is set against a background of a near-universal need to revamp legacy systems, while also implementing and embedding massive regulatory rulebook changes.

Regtech solutions are affecting how firms manage compliance and their use has risen by almost a quarter to 76 percent in 2017 (52 percent in 2016). The number of respondents who reported having already implemented a regtech solution almost doubled in 2017 to 30 percent (17 percent in 2016).

The biggest (69 percent) perceived impact of the successful deployment of fintech/regtech on the compliance function is the potential to drive up efficiency and effectiveness, thereby allowing more time to focus on value-added activities. One ramification of the move toward technology is the possible longer-term need for fewer compliance staff.

The need for fewer compliance staff might be expected to have an adverse impact on the compliance function but the move to a smaller, more highly-skilled, greater value-added function should maintain, if not increase, salaries and the need for experienced personnel.

Alongside the focus on skills and the need to invest in specialist skills is the quarter (27 percent) of firms that said they will need more resources to evaluate, understand and deploy fintech/ regtech solutions.

With three-quarters of firms (76 percent) of firms reporting at least a partial implementation of regtech solutions, the top three areas where compliance and regulatory risk management is most likely to be affected by regtech are: interpreting regulations and their impact (21 percent); implementation of regulatory change (16 percent); and capturing regulatory change (16 percent).

This shows a distinct shift from the previous year when the top three areas of compliance and regulatory risk management deemed likely to be affected by regtech were: compliance monitoring (47 percent); regulatory reporting (40 percent); and capturing regulatory change (35 percent). The year-on-year change may reflect the fast pace of change in regtech.

The one consistent thread was the need to capture regulatory change. Asia was a regional outlier, with almost a quarter of firms (23 percent) saying that the implementation of regulatory change was most likely to be affected by regtech. There were variations in top priorities, with capturing regulatory change seen as one of the more likely areas to affect firms in the United States and Canada (19 percent). Compliance functions must be able to evaluate regtech solutions. They must aim to reap the benefits of carefully selected, deployed regtech solutions hosted on an upgraded, stable and seamless IT infrastructure.

The needs of vulnerable customers, the changes to product governance expectations and the requirement for consistently good customer outcomes are likely to put complaints handling back on the supervisory agenda. The hallmarks of a good approach are founded on evidenced compliance with all relevant rules and requirements. With a culture and conduct risk overlay there are good or better practices which can help firms fulfill regulatory expectations and requirements.

It needs to be made easy for customers to complain, with clear information available as to how to make a complaint and how that complaint will be handled. An investigation must be followed by a decision as to whether or not the complaint has been upheld, all of which should be explained promptly to the customer in simple-to-understand language.

Firms may find it useful to carry out a root cause analysis. A customer complaint should not been seen as a problem to be solved but rather as an insight into a potentially recurring or systemic issue.

A leading indicator for regulators is the number of examples of such analysis resulting in other customers who had not complained but who had been affected by the same issue, being identified, and, where appropriate, provided with redress.

Compliance officers may wish to instigate a review of all complaints handling activities including root cause analysis and reporting. It may be valuable to consider the implementation of perceived good practice over and above the rulebook in line with culture and conduct risk considerations.