Ten things compliance officers need to do in 2017

Regulatory uncertainty has several ramifications for compliance officers. First, they will need to be clear that future uncertainty does not make the existing rulebook any less valid. Regulators are likely to use any policy hiatus to increase their supervision efforts, and so firms should expect enhanced scrutiny of their ability to evidence compliant activities, particularly with regard to stated supervisory priorities such as the appropriate treatment of vulnerable customers and the implementation of culture and conduct risk policies.

A double check on existing compliance is also a good means of ensuring that any future change is built on strong foundations, as well as acting as a refresher for senior managers as to the state of risk management in the business. The reporting and discussion of risk management could be used as the basis for developing a lobbying strategy on potential regulatory change.

Firms, with express compliance officer involvement, need to think through the implications for their own businesses of any possible changes, and then make senior-level decisions as to what “good” looks like for their businesses. “Good” in this sense could include a scenario that is neutral for the firm itself but potentially a significant threat for its competitors. Equally, if a possible threat is bad for the firm, it might end up being worse for competitors, leaving the firm in a relatively better position. Whatever strategy is agreed upon, firms should be prepared to engage with policy makers to try to influence future policy. It is in no one’s interest to have poor-quality legislation or guidance.

• Firms need to invest in skilled risk and compliance resources to respond to draft policy and rule changes. Even if the apparent chances of getting a policy maker to alter its approach are small, they will, by definition, be nil if firms fail to respond. Firms may wish to coordinate further between themselves and/or with trade bodies to add weight to arguments where compliance will either be unduly onerous or the approach is unlikely to meet the required good customer outcomes.
• Firms also need to submit written responses if they then wish to follow up with politicians, supranational bodies or others. Any firm approaching an entity or individual without having submitted a detailed, reasoned response to a formal consultation process will be given short shrift. 
• A well-trodden lobbying path has been for firms to engage with relevant politicians to get particular points across. Firms need to appreciate the differing levels of detail required by particular policy makers and the detail of the rulebook, and pitch their lobbying at the appropriate level. Big-picture concerns can be raised and discussed, but any points made are likely to carry particular weight if they reference specific examples and are couched in either market integrity or customer and investor protection terms.

Lobbying should be considered a medium- to long-term investment. For this investment to be successful, firms must have both the resources and a deep understanding of the evolving stances and approaches that regulators take. That involves considering not only the rules and regulations being made at the jurisdiction level but also the policy making by the supranational bodies (such as the Financial Stability Board, the Organisation for Economic Cooperation and Development, the Basel Committee on Banking Supervision and the International Monetary Fund) which set, and comment on, the international regulatory framework.

For many compliance officers, it must feel as though the boundaries of their roles, and of what is or is not deemed to be of interest to the compliance function, has done nothing but grow in recent years. The perimeter of today’s compliance officer job description is much more nebulous and is driven by developing regulatory expectations regarding good customer outcomes, culture and conduct risk.

Good customer outcomes will be under threat should cyber resilience fail. Compliance officers do not need to become technological experts but do need to ensure that cyber risks are identified, managed, mitigated, monitored and reported on within their firm’s corporate governance framework. One quick win would be to ensure cyber risks are included in the range of risks considered and that the board is prepared to discuss the actions taken to ensure everything possible has been done to embed cyber resilience throughout the firm.

Much of the best practice policy advice has shown that simple defense measures, done well, are effective against all but the most sophisticated and determined cyberattacks. Policy advice is starting to be codified into regulatory requirements, with the New York Department of Financial Services requiring firms from March 2017 to establish and maintain cybersecurity programs designed specifically to protect consumers and ensure the safety of New York state’s financial services industry. Firms will be expected to tailor cybersecurity plans to any weaknesses highlighted in their risk assessments, to report cybersecurity events, to file copies of their updated security plans each year and to designate a chief information security officer.

Compliance officers must be involved in the oversight of all significant outsourcing arrangements, none more so than when it is part of the compliance functionality that is to be outsourced. Outsourcing can be an efficient and cost-effective way to supplement in-house resources, but it must be delivered appropriately to be of benefit.

Outsourcing has come to the fore for all the wrong reasons in previous years, with Western Union in the Republic of Ireland and Raphael & Sons in the UK both being sanctioned for specific outsourcing failures, and in the United States, a risk alert was issued warning of the dangers of outsourcing compliance. This focus led Thomson Reuters to include a question about outsourcing in its Cost of Compliance Survey 2016, and 25 percent of firms responded that they outsourced some or all of their compliance functionality.

There were two main influences: the need for additional assurance on compliance processes and, of potentially greater concern, a lack of in-house compliance skills. The range of activities that compliance functions are now expected to perform may be an underlying reason for the dearth of skills in-house.

While it is good that compliance functions have recognized a skills gap, firms need to keep the balance between in-house expertise and any outsourcing under review. It is critical that firms continue to invest in all aspects of their risk and compliance infrastructure.

The golden rule for successful outsourcing is that, while activities can be moved to a different group, company or a third party, the skills to manage those activities must be retained in-house. This may be less obvious in an intragroup outsourcing scenario, but for a separate legal entity with a separate license, it is essential. If there is a branch or other structure involved, then the firm needs to consider the efficacy of the outsourcing arrangements and the skills, governance and local responsibilities of the branch.

Risk, compliance and internal audit functions should include outsourcing in all their monitoring plans. Elements to consider for testing are:

• The need for up-front due diligence on the outsourcer (even when it is a group company), together with a detailed written agreement specifying all aspects of the outsourced arrangements.
• The ability to access physically the off-site outsource location. Every effort should be made to carry out at least an annual onsite visit to all major or material outsourcers to assess the level, timeliness and quality of the information flows.
• The practical ramifications of data protection legislation, particularly with regard to the security of data and any international data transfers.
• The resilience of the outsource company. While most firms will undertake comprehensive due diligence at the start of the relationship with an outsourcer, it is less common to undertake continuing checks to ensure that the outsourcer remains effective. Firms should have comprehensive, tested contingency plans to deal with the failure of an outsource provider.
• The right (as should be set out in the outsource contract) to be informed before any of the firm’s data or activity is outsourced from the outsourcer. Too many firms have found that their data has been passed on and away from their original outsourcer to numerous other entities, thereby increasing possible loss, contagion, and reputational and concentration risks.
• The inclusion of outsourced arrangements in recovery and resolution plans. This is particularly pertinent for any firm required to create a “living will,” but will also be critical for business continuity and disaster recovery plans.
• The maintenance of in-house skills and expertise to oversee the activities outsourced.
• As a matter of course, any review of outsourced activities should be reported to the board as part of the firm’s overall risk reporting.
  

In previous years, regulators have focused on conduct risk. This has now morphed into a near-universal expectation that firms must consider how culture and conduct risk affect every aspect of their operations. In practical terms, this has led to a greater focus on compensation practices. As William Dudley, president and CEO of the Federal Reserve Bank of New York, said, “To put it very simply, incentives drive behavior, and behavior establishes the social norms that drive culture. If the incentives are wrong and accountability is weak, we will get bad behavior and cultures.”

Dudley’s comments pick up on the FSB’s broader review of conduct, as part of which it hosted a roundtable to share experiences on the use of compensation tools to address misconduct in banks. Although the roundtable focused on banks, it was also relevant for the compliance officers of other firms. Participants recognized compensation and conduct were directly linked and were increasingly looking to manage conduct via compensation tools both ex ante (explicit performance targets and encouragement of positive behavior) and ex post (ensuring appropriate consequences for poor behavior). They also acknowledged that the use of compensation tools to drive good compliance outcomes should not be overemphasized.

More generally, banks were keen to turn values into actions and ensure lines of business “owned” conduct risk. Many banks use their codes of conduct to set the framework for expected behavior, and to outline their expectations about roles and responsibilities. Performance objectives are increasingly linked to the values or ethics reflected in codes, and there is more emphasis on related assessments of risk management and conduct in year-end performance assessments. Importantly, there is also recognition that other values may pull away from these goals; for instance, conduct and profitability drivers may clash.

Other points included the importance of “tone from the top” in signaling where to place the balance between performance and customer and counterparty interests and the need to allow time to embed already-issued regulations and guidance.

A number of firms said they would welcome more guidance from regulators on “what good looks like” and would welcome initiatives such as further roundtables to share examples of better practice. Supervisors are seen as playing an important role in identifying better practices, conveying them to the industry and promoting consistency across markets. Compliance officers need to ensure they stay in touch with developments on compensation practices and ensure that their monitoring programs encompass all aspects of incentives in their firm.

The scope of technological innovation is beginning to change the marketplace, and fintech has the potential to compete with, and enhance, existing financial services offerings. Thomson Reuters Regulatory Intelligence undertook a review of fintech, regtech and the specific expectations on the role of the compliance function following the findings of the Cost of Compliance Report 2016, which suggested technology presented a bigger challenge for compliance than ever before.

Regulators will expect firms to make best use of fintech. Compliance functions are likely to come under scrutiny if they are not seen to be considering and deploying regtech solutions to aid regulatory risk management. The industry is in danger of becoming fragmented, with those firms whose risk and compliance functions have fully engaged with fintech (21 percent) at one end of the spectrum and, at the other, the 16 percent of risk and compliance practitioners who reported they did not need to be involved with assessing the implications of fintech.

The significant differentiating factor may be skills combined with a need to revamp older, disparate IT systems. Firms (and regulators) would be well-advised to undertake an IT skills audit that highlights and begins to remediate any gaps. Such an audit would also need to ensure the firm is prepared when regulators ask about skills at board and other levels, and about the potential (over)use of consultants.

The audit should cover technological skills throughout the firm, not just in the IT department, to ensure all functions (risk, compliance and internal audit included) have the appropriate levels of IT expertise for their roles. 

The need to revamp IT skills and systems may well require substantial investment. The wide spread of budgetary expectations revealed by the report highlighted the differences, with respondents reporting that although almost a quarter (24 percent) lacked a budget for regtech, a third (35 percent) expected the budget for regtech solutions would grow in the coming year. Insufficient investment in technology and associated skills will leave firms and their compliance functions without the infrastructure to thrive into the medium to long term, and, specifically, the compliance function will be unable to reap the benefits of regtech.

In financial services firms, data protection is often part of the compliance function’s remit. The profile of data protection is set to rise with the changes emerging from Europe, which will have international implications. Specifically, the General Data Protection Regulation (GDPR) will enter into force on May 25, 2018, and is aimed at strengthening and unifying data protection for EU citizens.

An important feature of the new regulation is enhanced rights and protections for individuals, including an enhanced “right to be forgotten” and the need for unambiguous and/or explicit consents for the use of personal data. Firms should consider reviewing their approach to, and evidence for, good data protection to ensure they have a solid base from which to consider any systems or other changes required by the regulation. The GDPR takes the regulatory focus on data protection to the next level with the potential for fines of up to four percent of global annual turnover.

Early indications from the UK Information Commissioner’s Office are that GDPR will be implemented in the UK irrespective of Brexit.

De-risking can be seen as a side effect of greater regulatory intrusiveness combined with the more stringent approach to enforcement. Firms are reviewing their business models and activities and choosing to divest themselves of anything perceived as carrying too much regulatory or other risk. De-risking is widespread, with HSBC reported to have withdrawn from or disposed of 74 businesses since 2011, all of which were considered, particularly in light of U.S. enforcement action, to be too risky. One example is the impact on correspondent banking, which is seen as an essential component of the payment system, especially for cross-border transactions.

Banks have traditionally maintained a broad network of correspondent relationships, but there are growing indications that firms are cutting back the number of relationships they maintain and are establishing fewer new ones. The main reason appears to be the uncertainty about how far customer due diligence should go to ensure regulatory compliance — in effect, to what practical extent banks need to know their customers’ customers (KYCC). As a result, correspondent banking has been subject to de-risking with the associated withdrawal of services that:

• Do not generate sufficient volumes to overcome compliance costs; • Are located in jurisdictions perceived as too risky; 
• Provide payment services to customers about which the necessary information for an adequate risk assessment is not available; or 
• Offer products or services or have customers that pose a higher risk for anti-money laundering/combating the financing of terrorism (AML/CFT) and are therefore more difficult to manage. 

The FSB and the Committee on Payments and Market Infrastructures of the Bank for International Settlements are seeking to turn back the tide and to alleviate some of the costs and concerns connected with correspondent banking activities.

All firms involved in correspondent banking should take advantage of the development of practical regulatory guidance or safe harbor as to how far customer due diligence with both KYC and KYCC should go and what associated level of documentation or other evidence is required. Compliance officers should factor potential regulatory changes into their longer-term decision making, particularly as firms need to be aware that de-risking carries its own risks and needs to be managed carefully.

Exiting a regulated business can be nearly as time-consuming and labor-intensive as setting it up in the first place, and if it is not done rigorously, the firm will end up increasing its risk profile, as well as potentially damaging its relations with relevant regulators.

Reporting, both internally and externally, is an essential part of the compliance function. Done well, it provides a critical information flow which evidences a compliant, risk-aware business. Done badly, it creates huge problems and provides a signal for regulators to initiate a wider investigation of the firm’s activities and potentially even enforcement action.

The greater focus on culture and conduct risk combined with the heightened personal liability have driven the need for boards and senior managers to have a clearer understanding of risk management and compliance, which, in turn, is likely to drive improvements in management information and internal reporting. High-quality information is also critical to ensure senior individuals are in a position to discuss risks and their management with regulators.

Compliance officers should review all risk and compliance management information, the efficacy of its sources and any inherent assumptions, as well as the clarity and consistency of internal and external reporting. Good management information is the lifeblood of any firm and will become even more important given the need for firms to evidence they and their senior managers have done all of the right things in all of the right ways.

Compliance officers might also consider the potential to combine reporting at the highest level of the firm so that compliance, risk, internal audit and legal present a single coherent view on the state of risk management to the board.

The downsides to getting things wrong in money laundering, know-your-customer, ultimate beneficial ownership and sanctions have become so expensive that many firms have created separate specialist functions to manage the risks. However a firm chooses to organize its approach to the prevention of financial crime, the compliance function needs to remain involved, given the links to regulatory risk. Many firms will have reviewed their approach to financial crime and beneficial ownership in particular, following both the Panama Papers revelations and the Financial Action Task Force post-visit reports on Canada and the United States.

While any regulatory changes to implement the FATF recommendations in North America are awaited, in Europe the Fourth Money Laundering Directive will take effect from June 2017, with changes to beneficial ownership, customer due diligence, the risk-based approach and politically exposed persons.

As part of the overall approach to risk management in the firm, compliance officers may wish to consider conducting preemptive reviews of their approach to, and ability to evidence compliance with, all aspects of AML/CTF, bribery, corruption, fraud prevention and sanctions requirements. For example, they might undertake specific regular financial crime risk assessments that are judgment-based and aim to highlight risk areas, determine how well the risks are being managed, and hence provide the basis for a risk-based allocation of resources to the highest-risk areas, as well as providing the basis for remedial and other risk mitigation plans.

Lastly, there is the question of personal liability for compliance officers. The Cost of Compliance 2016 report showed personal liability to be a perennial worry for compliance officers, with 60 percent of respondents (59 percent in 2015) expecting the personal liability of compliance officers to increase in the next 12 months, and 16 percent expecting a significant increase. The situation is more acute among global systemically important financial institutions, where 27 percent expected a significant increase in personal liability in 2016.

Regulators have made clear the rationale behind their drive to hold individuals to account. The impact on the cost of compliance and whether it makes it harder to recruit individuals to higher-stakes compliance roles remains to be seen. Greater personal liability is a reality in many jurisdictions. In theory, individuals could already have routinely been held accountable, but it was often simpler, quicker and easier for regulators to pursue firms. As a result, regulators have themselves been criticized for not disciplining senior individuals for failings that contributed to the financial crisis.

The intention is not to necessarily increase levels of enforcement but rather to encourage improved risk awareness, leading to more consistently good customer outcomes. One of the most challenging methods employed by regulators is the use of personal attestations, which are seen as a good way to focus senior managers’ attention. If the signatory either fails to give the required attestation or a compliance breach is found in the attested area, it should be a straightforward matter to pursue enforcement against the senior manager involved.

The UK has perhaps taken the most decisive steps toward changing expectations of senior managers. Since March 2016, banks and the largest asset managers (UK Prudential Regulation Authority-designated investment firms) have been subject to the new Certification and Senior Managers Regime, which requires firms to allocate prescribed responsibilities to individuals and document the accountabilities in formal “responsibilities maps.” The regime is due to be rolled out to all UK-regulated firms in 2018.

The United States, Canada, Hong Kong and Australia have all made policy moves to drive both personal accountability and the need for consistently better behavior by senior individuals, compliance officers included.

Personal liability is here to stay, so compliance officers must assess for themselves what “good” looks like in terms of their own personal regulatory risk management, which in turn, can be used as the blueprint for everyone else. There are several benefits for compliance officers who think through in detail how best to manage their own personal regulatory risk. They will have a better chance of staying out of trouble. Other benefits include being able to advise fellow senior managers on best practice. Once they have the infrastructure and protocols in place to manage their own risk, they will be able to devote more attention back to overseeing the firm’s compliance.