| Five questions board members should ask their compliance function |
Back |
| Marion Kelly highlights the heightened compliance challenges and responsibilities financial institutions and in particular, board members face. |
A raft of national and international legislation has been introduced over the past year which has significantly added to the burden on executives and senior management within the financial services industry from a compliance and corporate governance perspective. The implications of these developments are wide ranging and include the draft Companies (Audit and Accountancy) (Amendment) Bill 2001, the Company Law Enforcement Act 2001, as well as the recent US Sarbanes-Oxley Act.
However, against this background, compliance management, per se, remains a relatively new area - with evolving practices and varying skill sets across institutions. In our experience, there is often a knowledge deficit at board level regarding the scope of the compliance function and, perhaps most importantly, the individual responsibility of senior management and executives as regards ensuring and safeguarding overall compliance standards.
In this context, we have identified five key questions which we believe board members and members of senior management should be asking of their compliance functions in order to assess the current scope and needs of compliance, and enable them as individuals to understand their own compliance obligations.
1. What is compliance: While initially appearing a fairly pedantic question, in our experience institutions find it extremely difficult to answer this consistently and definitively. Different institutions have different perceptions and thereby different interpretations of what constitutes ‘compliance’. However, there is an emerging consensus between regulators that compliance refers to all the regulations and supervisory expectations relevant to a financial institution as well as to internal codes of conduct. Thus, the responsibilities of compliance are expanding to encompass more wide ranging areas such as (HR) related issues including employment, equality and data protection legislation. A key step in achieving clarity as regards the boundaries of compliance is to document a ‘compliance universe’ - typically described as all the relevant legislation, regulations, codes and policies which, non-compliance with, could have a negative impact on the firm. In our experience, it will quickly become evident that this is no easy task and it can serve as a real wake-up call internally as regards the integral and wide-ranging role which the compliance function plays within an institution.
Board members must examine, agree and endorse the definition of compliance employed by their institution in order to satisfy themselves that the compliance function is of sufficient scope to meet business needs, that it is adequately resourced, and that there is an appropriate allocation of roles and responsibilities. Consideration should also be given to the compliance skill sets available, in order to identify any gaps which can be addressed via recruitment and/or training programmes.
2. What are the expectations of our regulator as regards compliance: Regulators are increasingly viewing the compliance function as a key element of corporate governance and overall risk management and as a result the scope and profile of the Compliance Function has been growing. The Central Bank’s guidance is that the size and the complexity of an individual bank should determine the roles and responsibilities required of the compliance function. The Department of Enterprise, Trade and Employment (DETE) issued some limited compliance guidance for the insurance industry during 2002. However, despite the absence of detailed regulatory guidance, it is apparent that from the perspective of the regulator, it is no longer acceptable for the management of compliance to be carried out on a ‘part-time basis’. Through the course of our audit work, we are aware of institutions which have received requests from the Central Bank for copies of minutes of audit committee and board meetings where compliance has been discussed. This approach is indicative of the increased regulatory focus on compliance and it is likely that this focus will only increase.
3. Does our compliance function have appropriate internal profile: Leading practice dictates that the compliance function should have appropriate status within a financial institution. In our experience, there has been a tendency for compliance to be regarded as a back office, non-core function which should not add cost to the business. Undoubtedly, this tendency is beginning to change, however it is vital that senior management supported by the Board ensure that compliance has sufficient internal status.
The status should be guaranteed by a document such as a compliance charter, which should be approved by the board as part of its supervisory responsibilities. In our view, this charter should cover at least the following:
• the objectives of compliance
• its position, powers and responsibilities
• relationships and co-ordination with other departments
• the right to take initiatives
• the authorisation to communicate directly with staff, to examine any activity, and to access any records, files or data of the institution, where relevant
• the guarantee to be able to freely express and disclose its findings and appraisals, and the assurance that these will not jeopardise compliance staff.
A further means of raising the internal profile of compliance is to issue an internal code of ethics. We would consider this as a key element of compliance best practice. A clear code of ethics sets the ‘tone at the top’, reinforces the internal status of compliance and highlights individual responsibilities.
4. Is the level and form of our compliance monitoring adequate: In order to be most effective, compliance monitoring needs to be both ‘preventative’ and ‘detective’, focusing on the controls to avoid failure and on those designed to isolate instances of failure where they are most likely to occur.
The distinction between prevention and detection is critical. We consider:
• ‘detection’ to mean any management activity which can identify potential breaches of rules, but which in itself can do nothing to drive behaviour that is inherently compliant; it identifies weaknesses that have already occurred and is therefore related to the past
• ‘prevention’ actively influences the customer’s experience, or the organisation’s adherence to regulatory requirements; it is related to the present.
Whilst some detective and remedial activity is an inevitable part of a compliance function’s activities, it can be ultimately self-defeating. The better compliance becomes at detecting potential breaches of the rules, the more breaches will be found and the greater the cost in investigating and correcting them. Functions which place emphasis on detection and remediation at the expense of prevention quickly find themselves very busy indeed and in constant need of more resources, yet not actually achieving a great deal in terms of improving underlying compliance performance. We would recommend that the balance as regards monitoring be biased towards prevention in order to ensure long term efficiency of compliance.
A move to a more preventative approach can also facilitate the utilisation of a risk based monitoring approach (i.e. focused on the principal areas of risk, based on the firm’s specific activities, customer base etc.). Information technology can facilitate this, providing real time reports and other information to compliance officers. Such systems are not as yet widely used but are comparatively well established in the US, particularly data mining systems for anti-money laundering compliance. In our view, investment in IT solutions is critical to leveraging compliance resources and containing costs.
5. Are the reporting lines of our compliance function correct: A significant challenge is to ensure the independence of compliance. To operate effectively, compliance needs to stay much closer to the day-to-day operations than does, say, internal audit. Their role needs to be ‘real-time’ rather than historic: providing advice and guidance to business units. However, close links to front-line business units can raise serious independence questions in terms of reporting lines and budgeting issues. Without clear compliance policies and procedures, matrix reporting structures can damage the independence of the compliance function, particularly if compliance officers report directly to business line heads and/or rely on the latter for resources. Unclear reporting structures can also remove the necessary clarity in terms of compliance roles and responsibilities, particularly, with regards to other functions which have compliance-related responsibilities, such as internal audit and the legal department.
A further imperative to achieve independence of compliance is the recently issued conduct of business standards of the Committee of European Securities Regulators (CESR, of which the Central Bank is a member), which explicitly stipulate that the cfompliance function be independent.
Conclusion
There must be a recognition that the board is ultimately responsible for standards of compliance within a financial institution. Directors and senior management need to reflect on their own compliance knowledge; the effectiveness of their compliance function; and on whether the Function is appropriately structured and resourced.
Compliance must be regarded as more than a cost of business, with investment being viewed as essential, rather than a ‘nice to have’. Boards need to break the culture of paying lip service to the importance of compliance with one hand whilst talking down or cutting the budget for compliance with the other. Against the ever-increasing regulatory demands on business, this is an approach destined for failure. |
Marion Kelly is a senior manager in PriceWaterhouseCoopers regulatory advisory services team.
|
| Article appeared in the February 2003 issue.
|
|
|
