April 2019 Issue
As the regulatory landscape has evolved, compliance departments and the chief compliance officer (CCO) have become increasingly important, helping organisations to adapt.
Today, companies are beholden to ever-changing and escalating regulatory demands. As such, there is significant pressure on compliance professionals to ensure that companies meet their obligations. Today, business compliance operates on two levels. First, it requires companies to be compliant with external rules imposed upon the organisation as a whole. Second, it means building internal systems of control necessary to achieve compliance with these external rules.
According to the International Compliance Association, in order to achieve these goals, compliance departments must identify the risks that an organisation faces and offer advice on how to overcome them. They must design and implement controls to protect an organisation from those risks. They must monitor and report on the effectiveness of those controls in the management of an organisation’s exposure to risks. They must resolve compliance difficulties as they occur. Finally, they must advise the business on rules and controls.
These tasks are becoming more challenging. In the EU, for example, measures such as the General Data Protection Regulation (GDPR), the Market Abuse Regulation (MAR), MiFID II and the 4th and 5th Anti-Money Laundering Directives have changed the paradigm, requiring companies to constantly evaluate their structures and approach to compliance, particularly in light of the fines available to punish non-compliant organisations. In 2018, in the UK, the Financial Conduct Authority levied fines of £60m for compliance breaches. According to Fenergo, $26bn in fines has been imposed globally for non-compliance with anti-money laundering (AML), know your customer (KYC) and sanctions regulations in the last decade.
However, an effective compliance department can offer much more than simply ensuring that companies avoid penalties. By identifying appropriate controls and managing the company’s relationship with regulators, compliance teams can increase operational effectiveness, drive cost efficiencies and provide a value-added service to the business.
“The compliance department within any company is incredibly important,” suggests Ronald Machen, a partner at Wilmer Hale. “First, a well-functioning compliance department helps the company avoid legal pitfalls that can cost it hundreds of millions in fines and other legal costs. Second, in the event that a company is investigated by the government, one of the things that the US Department of Justice (DOJ) does when deciding whether to bring charges or negotiate plea agreements is to determine whether the company had a robust compliance programme or simply a ‘paper programme’, meaning one with a lot of policies but little monitoring and enforcement. As the saying goes, an ounce of prevention is worth a pound of cure.
“Having an effective compliance department helps the company implement its business strategy across myriad countries and avoid legal pitfalls,” he continues. “Without a robust compliance programme, it is more likely that problems will arise that draw the attention of regulators. This is especially true if a company works in a country that is known to be a hotbed of corruption and contains a weak legal system. While there are sometimes tensions between business and compliance personnel, smart companies realise that the compliance function protects not only their bottom line, but also their employees as regulators, particularly in the US, continue to focus on individual bad actors within companies.”
Driving the evolution of compliance
While increasing regulation has had an impact on the development of the compliance function, recent high profile enforcement actions have also focused company minds. For example, in 2018, the Office of the Comptroller of the Currency issued a $12.5m fine against the Bank of China’s New York Branch. Additionally, the Financial Crimes Enforcement Network (FinCEN) issued a $7m fine against the Merchants Bank of California for wilful violations of the Bank Secrecy Act (BSA). The financial crisis was the harbinger of these enforcement actions. The Dodd-Frank Act, for example, was a watershed moment in the financial services industry, and since the crisis, the US Securities and Exchange Commission (SEC) has brought a record number of enforcement actions and imposed unprecedented monetary fines.
“The compliance function has seen massive investment over the past decade, thanks to a number of high profile enforcement actions as well as the depth of the financial crisis, and has matured significantly in some industries, particularly healthcare and financial services,” says Cynthia Dow, head of the global Legal, Regulatory & Compliance Officers practice at Russell Reynolds Associates. “Lately, we have seen a marked increase in compliance investment and interest among tech companies, in part as a reaction to the data privacy issues that have plagued the industry.”
Technology, too, has impacted the compliance function. In the coming years, the emergence of regulatory technology (RegTech) could have a seismic impact. Though there will be some trepidation for firms unsure of the underlying technology, including innovations such as blockchain, RegTech offers solutions that solve compliance and regulatory issues, allowing companies to simplify their processes. RegTech, which usually takes the form of cloud computing or software-as-a-service (SaaS) applications, can automate procedures and streamline compliance processes to reduce both business risk and the load on human resources. Given that the amount of regulation that financial firms must comply with has exploded since 2009, with around 60,000 documents published globally since then, according to RegTech provider JWG, organisations can spend millions just to keep up. However, RegTech solutions utilising robotic process automation, pattern recognition and cognitive computing have transformative potential. They can speed up processes, drive down costs and free up staff to perform value-adding services. Furthermore, technology that tracks new and existing regulation will help map compliance to corporate strategy.
Funding for the RegTech industry has grown over the past few years. 2017 saw more than $1bn invested in the space – triple the investment from the preceding five years, according to Trulioo. 2018 saw $4.5bn invested, according to RegTech Analyst, bolstered by large transactions. SenseTime, a facial recognition solution provider, raised over $2.2bn across three deals, for example.
RegTech is also becoming increasingly accepted by regulators. In 2015, the FCA became the first regulator to open a ‘regulatory sandbox’ and encourage firms to test cutting-edge products, services or business models in a live, but protected, environment. Similar ‘sandboxes’ will likely appear in other jurisdictions. According to an Intertrust survey of 500 financial services executives, there is likely to be an upswing in demand for RegTech solutions over the next few years. This is a significant opportunity for startups to increase funding and enter into partnerships with regulators to help guide the future of compliance. That said some ethical questions remain regarding the utilisation of cognitive computing and allowing artificial intelligence to make ‘decisions’. Companies must carefully evaluate how much they are willing to rely on machines for compliance.
Chief compliance officer
Driving the development of the compliance function is the CCO. CCOs today fulfil a business partnership role. They must also be an educator and a facilitator of growth. “The CCO is expected to exhibit world-class leadership traits including excellent and incisive board-level communications, strong internal and external relationships and influencing skills, visionary and transformational team leadership, and a focus on operational excellence, including tailored, pragmatic business solutions and state-of-the-art technology delivered on a tightly-managed budget,” says Ms Dow. “While few CCOs will bring all of these capabilities to the table, what matters most will depend on the particular organisation. Larger, more complex organisations are likely to place the greatest emphasis on leadership and communication skills, for example, while less mature ones may need to focus more on breadth of technical compliance expertise and operational excellence.”
CCOs must also be technologically savvy. “Once upon a time, information was shared via telephone, inter-office mail or email,” explains Mr Machen. “Moreover, people communicated with software and hardware provided by the company. Now, people use their personal devices a lot more and information is shared via messaging apps and instant messaging software that may not be owned or controlled by the company, like WhatsApp and WeChat. CCOs must grapple with the legal challenges of securing company information on employees’ personal devices or viewing information on employees’ personal accounts. This is especially true since the DOJ may not give full cooperation credit during an investigation if important information is deleted.”
Many CCOs sit on boards and report directly to the chief executive. They are no longer on the outside looking in on business development; instead, they are a key cog in the machinations of the C-suite. Accordingly, CCOs must deliver concise, comprehensive and visually interesting representations of key enterprise risks, the compliance programmes which address those risks, and regular updates on programme implementation and risk mitigation. “Boards should expect and require clear lines of accountability through the organisation with compliance roles and responsibilities articulated and allocated to experienced leaders,” says Ms Dow. “Perhaps most critically, boards should require evidence that compliance is not just a ‘box-checking’ activity but one that business leaders embrace and espouse, and which has a demonstrated and meaningful impact on the culture of the organisation.”
Undoubtedly, the role of the CCO is vital, but increasingly complex. Adapting and responding is key. CCOs must understand the complexities of the organisation, as well as the conflicts and risks inherent in its operation, and the fundamental needs of the business within the regulatory framework. Ethics is also crucial. Compliance leaders, through training, policies and procedures, must lead from the front. This is particularly important in light of the #MeToo movement, which has highlighted the critical importance of integrity and tone at the top. “Compliance leads the way in bringing the code of conduct to life and quickly addressing any misconduct issues that arise,” says Ms Dow. Companies must be cognisant of the many new and evolving laws that govern the relationship between employer and employee, as well as evolving best practices to prevent against sexual harassment and gender inequality in the workplace and effectively respond to any allegations.”
According to Mr Machen, CCOs also have to be aware of the culture of foreign offices, for example modes of communication, in order to avoid inadvertently running afoul of foreign customs. “Being unaware of foreign customs may hinder effective communication across offices,” he says. “Moreover, CCOs have to know the laws – such as privacy – governing each country in which the company operates. If the CCO does not, then potential legal issues can arise quickly.”
With changing regulatory obligations and shifting societal expectations, the future of compliance will be challenging. Internal and external scrutiny will add additional pressure to compliance teams who must act now to prepare for the obstacles ahead. The emergence of RegTech will be a landmark moment in this journey, set to redefine the future of regulatory compliance in the financial services sector and beyond.
© Financier Worldwide