Embedding Compliance III CPD Lunchtime Lecture

1
Embedding ComplianceIII CPD Lunchtime Lecture
Clive Kelly 3rd December 2009
2
Objectives

• What is Compliance/Role?
• Regulator/Commentator Views
• How to?
• FR Role/Expectations
• Conclusion

3
Objectives

• What is Compliance/Role?
• Regulator/Commentator Views
• How to?
• FR Role/Expectations
• Conclusion

4
IFR on Compliance

• The appointment of a Compliance Officer is
  designed to supplement, not supplant, the
  responsibility of the Board of Directors and of
  senior management to ensure compliance with
  legislation and applicable requirements.
• An authorised undertaking must appoint an
  individual to act as Compliance Officer.
  Reflecting the size and complexity of some
  undertakings, the Compliance Officer may
  simultaneously hold other offices within a
  company (e.g. Company Secretary, General Manager
  etc). In appropriate circumstances, a single
  individual could also be a Compliance Officer for
  more than one undertaking (e.g. in the case of
  captives managed by the same management company).
  
• 8.1 Functions of Compliance Officer
• The functions of the Compliance Officer must
  encompass the following tasks
• To ensure the undertaking is kept up to date with
  the Financial Regulators compliance standards
• To obtain the approval of the Board of Directors
  for a policy statement on compliance with
  applicable regulations, with the requirements of
  the Financial Regulator and with any other
  applicable legislation
• To monitor the implementation of compliance and
  to report periodically to the senior management
  and to the Board of Directors thereon
• To review products, procedures and systems on a
  planned basis from the viewpoint of effective
  compliance and to advise as to steps necessary to
  ensure compliance
• To monitor anti-money laundering policies and
  procedures for effectiveness and ensure any
  suspicions are reported to the relevant
  authorities and
• To review staff training processes so as to
  ensure appropriate compliance competencies.

5
Assurance

• Assurance Provider means any party providing
  Assurance, such as Management, Compliance, Risk
  Management, Audit and supported by Legal.

• Assurance means
• confidence,
• based on sufficient evidence,
• that objectives are being achieved,
• risks are identified and appropriately managed
  and
• that internal controls are in place and operating
  effectively.
• Role of Compliance To provide Assurance to the
  Chief Executive Officer and the Board that the
  company is managing the compliance risks arising
  from the key external requirements with direct
  impact of non-compliance that fall within the
  functions scope.

6
Assurance Delivery

• three lines of defence model comprising of
  Management in the first line, Risk management and
  Compliance in the second and independent
  assurance i.e. Internal and External audit in the
  third line.

7
Compliance Framework
Compliance Function
compliance responsibility Board (overall)
Management (day-to-day sets the
tone) Staff (operationally)
support
advice
assurance
8
Compliance Program

• The Compliance Program consists of the following
  activities and drivers
• a) Promote a Culture of Compliance
• The Compliance function supports the entity and
  its management to promote and embed a culture of
  compliance and ethics within the entity.
• b) Perform Compliance Risk Assessments
• The Compliance function produces an annual
  Compliance Risk Assessment.
• c) Establish a Compliance Plan
• The Compliance function develops a risk-based
  annual Compliance Plan, based on the Compliance
  Risk Assessment.
• d) Identify External Requirements and Trends
• The Compliance function should drive the tracking
  and analysis of significant legal and regulatory
  developments.
• e) Issue Policies and provide Guidance
• The Compliance function determines the need for
  new or revised compliance policies and supporting
  documentation.

9
Compliance Program

• The Compliance Program consists of the following
  activities and drivers
• f) Provide Business Advice
• The Compliance function acts as a business
  partner by providing strategic, transactional and
  day-to-day compliance advice and direction. This
  includes providing interpretation and judgment in
  respect of business practices and applicable
  rules within its scope.
• g) Training and Communications
• The Compliance function proactively drives and
  supports the delivery of appropriate compliance
  training and communication activities within the
  entity.
• h) Compliance Monitoring and Oversight
• The Compliance function performs risk-based
  Compliance Monitoring, including Compliance
  Reviews to identify potential compliance issues
  on a timely basis and in order to provide
  compliance risk assurance to management.
• i) Reporting, Analysis and Remediation
• The Compliance function analyses identified
  compliance risks, issues and ongoing remediation
  efforts and reports on them to the respective
  Audit Committees and management bodies.

10
Scope
Legal and Regulatory Risks
Solvency Risk / Capital Management / Actuarial
Stock Exchange Requirements Legal
Prudential Supervision Finance
Compliance
Tax Law/RegulationFinance
Adequate FinancialDisclosuresFinance
Compliance Risk Universe
Market Abuse
Licensing
Conduct of Business
Financial Crime

• Product Design
• Product Marketing
• Product Suitability
• Sales and Intermediaries
• Complaints handling
• Customer Anti-Discrimination
• Customer Privacy

• Insider Dealing
• Anti-Trust / Competition Laws
• Conflict of Interest

• Anti-Money Laundering
• Anti-Terrorist Financing
• AML Surveillance
• Client Intermediary Due Diligence
• Trade Economic Sanctions
• Internal Restrictions
• Misappropriation of Data
• Anti-Bribery / -Corruption

• Entities
• Products

Data Management
Regulatory Relationship

• Data Protection
• Record Retention

• Periodic Filing
• Examinations /Visits

Corporate Governance LegislationLegal
Accounting Standards RequirementsFinance
Program
Health Safety RegulationsHR
11
Objectives

• What is Compliance/Role?
• Regulator/Commentator Views
• How to?
• FR Role/Expectations
• Conclusion

12
Some Views/Quotes

• Compliance is a key component of a successful
  business, an integral part of good business
  conduct and important in projecting standards of
  excellence and unparalleled ethics to its clients
  and the market in general. CITIGROUP ASSET
  MANAGEMENT, Compliance Department Statement
• Compliance is one of the main repositories of the
  conscience of a financial services business - the
  guardian of an institutions soul and ethics. The
  compliance function strengthens the principles of
  conducting business in accordance with all
  applicable law, rules, codes and standards
  required by regulators, respecting the principles
  of integrity and fair dealing at all times, which
  is essential. Good compliance can enhance
  reputation through improved services and
  efficient implementation of new business
  initiatives.
• The key challenge for all institutions is to
  develop a culture within their organisations that
  fosters compliance and high ethical standards.
• Former CEO Irish Financial Regulator.

13
Lip Service

• But the suspicion remains that changes to
  boardroom structures and composition are ones of
  process, not substance. When survey respondents
  were asked which areas were the critical
  priorities for board members, an issue of process
  ensuring adequate internal controls came out
  well on top. This hierarchy may accurately
  reflect the regulatory pressures under which many
  companies are operating but the broader
  responsibilities of the board risk being
  neglected as a result. Good governance is not
  just about turning boards into a high-level
  Compliance function - nor is it about investing
  in the actual Compliance function.
• Too many financial institutions around the world
  are still stuck on the idea that the best way to
  improve standards of governance is to ensure that
  employees are complying with the letter, but not
  necessarily the spirit, of the law.
• Too often financial institutions have fallen into
  the trap of treating compliance as a box to tick
  when the business of the day is done. What they
  need to do, he says, is think of compliance less
  as a function and more as an institutional state
  of mind, helping firms to anticipate risk as well
  as avoid it.

14
Compliance Gap

• Behaviour that may be legally defensible can
  still damage the reputation of the business.
• What is regarded as sharp practice by informed
  customers today often becomes the subject of
  regulation tomorrow.
• The compliance department alone cannot resolve
  the inherent conflict of interest between an
  organisations desire for profits and its duty to
  wider stakeholders, including customers. Rules
  are meaningless if they go against the grain of
  the organisation as a whole if, in other words,
  there is a culture of non-compliance.
• A new vision of compliance is needed one that
  puts the consumer first, that embraces internal
  guidelines as well as outside regulations, that
  prevents damage to the business rather than just
  detecting it after the damage is done, and that
  embeds a culture of compliance into the marrow of
  financial institutions.

15
Objectives

• What is Compliance/Role?
• Regulator/Commentator Views
• How to?
• FR Role/Expectations
• Conclusion

16
Embedding Culture of Compliance

• Existing Culture
• CEO role
• Values Statement
• Internal Policies
• Training
• Objective Setting/Reward Measurement

17

• Our job is not just to comply. As a leader
  your job is also to actively help sustain the
  kind of environment where integrity is not seen
  as a trade-off to commercial success, but as a
  necessary ingredient for it. Everyone understands
  the need for preventive, robust compliance
  efforts. We value both results and ethical
  behavior
• J Schiro CEO Zurich Financial Services

18
Embedding Culture of Compliance

• Existing Culture
• CEO role
• Values Statement
• Internal Policies
• Training
• Objective Setting/Reward Measurement

19
BIS - August 2008

• Promoting a strong compliance culture
• The tools most frequently used to promote a
  strong compliance culture are training and the
  existence of a written policy established by
  senior management. Follow-up mechanisms by senior
  management to ensure that appropriate remedial or
  disciplinary action is taken if breaches are
  identified were also mentioned by 13
  jurisdictions.

20
Embedding a Culture
21
Ethical Culture
22
Code of Conduct

• Principles
• Participation from multiple stakeholders and
  multiple levels of the organization
• Understandable
• Addresses all legal requirements
• Addresses voluntary policies and values

23
Code of Conduct
DEFINE PRINCIPLES VALUES Define and
communicate the values and principles that should
guide both individual and organizational conduct
the values and principles for which the
organization stands.

• Define the entity's principles/values statements
  either separately or as part of another document
  (mission/vision statement, code of conduct,
  etc.).
• Involve appropriate internal stakeholders in the
  development of principles/values.
• Obtain senior management/board commitment to
  statement of principles/values.
• Communicate statement of principles/values to all
  internal stakeholders including employees and
  other agents.
• Communicate statement of principles/values to
  selected external stakeholders
• gt on the entity's website
• gt in reports and communications to shareholders
  other stakeholders.
• Periodically review principles/values to consider
  appropriate revisions based upon business,
• management, legal or cultural environment
  changes.

24
(No Transcript)
25
Embedding Culture of Compliance

• Existing Culture
• CEO role
• Values Statement
• Internal Policies
• Training
• Objective Setting/Reward Measurement

26
Internal Policies Controls

• Empowering Everyone
• Responsibility for sound business management
  rests not just with those in the compliance
  department or even the traditional risk
  disciplines, but with everyone in the
  organisation. Internal controls embed compliance
  in peoples roles and responsibility more
  effectively than external regulations. Although
  the personal liability of senior managers for
  regulatory non-compliance has risen exponentially
  in the last two years, the mindset of employees
  lower down the management chain is different
  thinking about regulations is not their concern,
  but the job of the compliance department.
• Internal codes of business practice are
  intuitively different they manifestly apply to
  everyone in the institution. Only through
  internal controls can a culture of compliance
  become embedded throughout the organisation

Compliance a Gap at heart of risk management
PWC EIU
27

• Anti-Money Laundering and Anti-Terrorism
• Proper Retaining and Discarding of Records and
  Documents
• Money and other Gifts Business Entertainment,
  Political / Other Contributions
• Anti-trust, Competition, and Related Areas
• Use of External Auditors for Non-Audit Services
• Reporting Concerns

28
Whistleblower Processes

• Section 806 of Sarbanes-Oxley provides that a
  company is prohibited from firing or
  discriminating against an employee who reports a
  violation of the securities laws or fraud
  statutes.
• An employee who alleges discharge or
  discrimination in such a context has a private
  right of action to seek relief for reinstatement,
  back pay and compensation for any special damages
  sustained.
• Companies are creating and clearly communicating
  a policy establishing that employees are
  encouraged and required to report suspected
  legal, ethical, or policy violations to the
  appropriate individual(s) or department(s).
• It should be clear that employees should report
  suspected misconduct without fear of retaliation
  of any kind for a report made in good faith.
• Such a policy should
• Establish multiple avenues for reporting
  compliance or other business conduct concerns
  (i.e. Supervisors/managers, compliance officer,
  legal department, ethics officer, HR, toll-free
  helpline, ombudsperson)
• Establish guidelines for the fair and impartial
  investigation of purported misconduct (i.e.
  Protection of confidentiality to the greatest
  extent possible, no adversarial role to any
  parties involved in the investigation, frequent
  communication with reporting party)
• Establish and consistently enforce a disciplinary
  policy (i.e. Standards of responsibility for
  management/non-management, verbal warnings,
  written warnings, corrective actions, follow-up
  review and report and dismissal)

29
(No Transcript)
30
(No Transcript)
31
Embedding Culture of Compliance

• Existing Culture
• CEO role
• Values Statement
• Internal Policies
• Training
• Objective Setting/Reward Measurement

32
Training

• Why ?
• Compliance Training must be recognized as
  providing reputation and cost benefits to the
  organization by empowering stakeholders, managers
  and employees to identify proper courses of
  action when doing business
• The US sentencing guidelines for organisations
  set out a multi-step model (to define a model of
  good ethics/compliance) one of the seven steps
  in this model is communications and training.
• Your organisations greatest compliance resource
  is your staff they are your best compliance
  officers. It is essential that you not only tell
  your employees how you expect them to behave but
  that you train them in these expected behaviours.
  
• Scope
• Policy - e.g. Whistleblowing
• Area Specific e.g. AML
• Ongoing e.g. Reinforce culture

33
Compliance Training

• Principles - OCEG
• Initial continuous training for all employees
  on the code of conduct
• Test for knowledge transfer not just attendance
• General compliance training (awareness) on
  ongoing basis with refresher training for all at
  least annually
• Integrate with other job training

34
Training

• Objectives
• Promote awareness of compliance principles
• Demonstrate the right attitudes and behaviour in
  the workplace
• Reinforce existing knowledge on compliance
• Impart technical information on
  compliance-relevant issues
• Provide information on Compliance - including
  Policy, procedure and key contact information

35
Training

• CONSIDERATIONS
• Training design must be flexible to address
  differences in size, scope of business,
  resources,
• culture, educational level of trainees, and other
  factors that influence the need for customized
• training
• Training should be developed or procured with
  involvement of line management and end-users
• (students) to help reduce resistance to the
  training and increase relevance to the specific
  job /
• role
• All training (awareness and job specific) needs
  to be tracked and monitored by employee so
• training can be altered if not effective
• CRITICAL SUCCESS FACTORS
• Delivery of relevant content in a consistent
  manner, and in a way that promotes the retention
  and application of knowledge
• Targeted training applicable to job

36
Training

• Methodology Comparison

37
Training

• Monitor/Measure
• Reports on the attendance and completion of
  training activities conducted by employees must
  be checked.
• A Temperature check survey at events may be
  issued to find out if messages are received and
  accepted by the target audiences.
• Performance indicators may also be used count
  of hits on intranet pages, quick polls,
  interviews of people recently trained and
  feedback forms.
• Online documented Compliance training modules
  have the advantage of proving to your regulator
  that you have informed employees of their
  relevant obligations and have trained them
  accordingly which can be an advantage in the
  event of a regulatory or compliance breach.

38
Training

• Report
• Data with regard to completion of training should
  include the following
• Number of participants per training course
• Percentage of participants who completed the
  training within required time frame
• Percentage of participants who did not complete
  the training within the required time frame
• Budget
• Include Compliance Training Communication in
  budget planning

39
Sample Training Plan
40
Embedding Culture of Compliance

• Existing Culture
• CEO role
• Values Statement
• Internal Policies
• Training
• Objective Setting/Reward Measurement

41
(No Transcript)
42
Making Compliance Famous

• Some of the more practical ways organisations
  have promoted compliance or made it famous
  include
• All Senior managers have compliance objectives
  against which they are measured and rewarded
  (annual bonus impact).
• Introduce a compliance intranet page containing
  applicable policies/standards/code of conduct.
• Introduce a compliance newsletter new
  legislation/internal policies.
• Publicise compliance breaches on
  intranet/newsletter.
• Coach CEO to mention compliance/ethical behaviour
  at staff briefings/performance reviews/financial
  analyst meetings etc.
• Include compliance in introduction day training.
• Introduce Compliance days on-line quiz,
  promotional toys coffee coasters etc.

43
Making Compliance Famous

• Mandatory on-line compliance training.
• Set up a compliance champion in each
  area/department/section of the business.
• Set a constant message, e.g. Values statement and
  reinforce it.
• Introduce an annual personal compliance sign off
  process for key staff a statement which says
  I have read compliance charter/policy and confirm
  I am in compliance.
• Mapping Behaviours to Values
• Creating Job-Specific Behaviour Expectations
• Incorporating Behaviours into Performance Goals
• Focusing Performance Reviews on Results and
  Behaviours.

44
Communication
Compliance Communication Objectives The
Compliance Communication objective is to build
understanding of Compliance and to help instil a
culture of compliance . Specifically,
Communications should assist to Make all
audiences aware of compliance mission, compliance
issues, and Policies Create transparency and
understanding of Compliances role Aim at
getting engagement and support across the
organisation Create enthusiasm among target
audiences and willingness to contribute
Mobilize Senior Management to drive key messages
down to operational level Have visible and
aligned leadership to support communication
Ensure Management (GEC, GMB, line managers)
understands how compliance aids profitable growth
and operational transformation and is committed
to help ensure that every employee understands
the importance of doing the right thing
Ensure employees understand the importance of
doing the right thing from a Compliance
perspective and how they can contribute to it
Include reference to the Reporting Concerns
procedure Provide case studies Focus on
compliance-related news and latest developments
45
Sample Communication Strategies
46
Objectives

• What is Compliance/Role?
• Regulator/Commentator Views
• How to?
• FR Role/Expectations
• Conclusion

47
Sanctions

• Available to FR
• 1. Caution or Reprimand
• 2. Direction to refund or hold money
  charged/paid
• 3. Monetary Penalty 5,000,000 max corp
  unincorp body, 500,000 in case of person
• 4. Disqualification of persons involved
• 5. Direction to cease the prescribed
  contravention
• 6. Direction to pay costs of investigation
  inquiry

48
FR Approach to Sanctions

• Consequently, major factors which we will
  consider before we decide to pursue a sanctions
  case will be
• The availability of other regulatory actions
• The nature and seriousness of the contravention
• The conduct of the financial service provider
  after it came to light and
• The previous compliance record of the financial
  service provider.
• In pursuing our sanctions policy our strategy
  will be to
• Promote compliance in the financial services
  industry
• Operate in the public interest and
• Support the economic, efficient and effective
  pursuit of our strategy.

49
Reporting Concerns Regulatory Expectation
Financial Regulator Guidance note The Financial
Regulator expects regulated financial service
providers to maintain an open and co-operative
relationship with it. In determining when to
report concerns about a compliance concern to the
Financial Regulator, regard should be had by
regulated financial service providers to the
following indicators (a) Whether there are
facts which a reasonable person might construe as
suggestive of deliberate, dishonest or reckless
conduct (b) Likely duration and frequency of the
compliance concern (c) The possible amount of
any benefit gained or loss avoided due to the
compliance concern (d) Whether the compliance
concern is of a type that could reveal serious or
systemic weaknesses of the management systems or
internal controls relating to all or a part of
the business (e) The extent to which the facts
of concern would depart from the required
standard of compliance
50
Reporting Concerns Regulatory Expectation
(f) The impact of the compliance concern on the
orderliness of the financial markets, including
whether public confidence in those markets has
been, or would be likely to be damaged (g) The
loss or risk of loss caused to consumers or other
market users (h) The nature and extent of any
financial crime facilitated, occasioned or
otherwise attributable to the compliance
concern (i) Whether there are a number of
smaller linked issues, which individually may not
justify reporting to the Financial Regulator, but
which do so or are likely to do so when taken
collectively (j) Whether the regulated financial
service provider or person concerned in its
management have previously been requested to take
remedial action (k) Action taken by the
Financial Regulator in previous publicised
similar cases (l) Any other consideration
relevant to the unique features of the compliance
concern. The regulator also expects the financial
institution should not wait to establish
definitively the facts of a compliance concern
but should act on the basis of the apparent facts
when the matter is initially discovered and in
addition that the financial service provider
should keep adequate records relating to the
issue.
51
Objectives

• What is Compliance/Role?
• Regulator/Commentator Views
• How to?
• FR Role/Expectations
• Conclusion

52
Best Practice

• Future For Compliance
• More and more firms are encouraging or demanding
  that their Compliance
• Departments move to a more value added frontier
  of
• enhancing strategy, improving business processes,
  better managing risk,
• providing a consultancy to management and
  unlocking new possibilities
• in their markets of choice.
• Key functions
• The four aspects of operation are
• Demonstrating Compliance with relevant
  regulations
• Embedding Compliance within their organisation
• Managing the cost of Compliance and
• Identifying, addressing and resolving regulatory
  failures
• Compliance generally spend too much time on the
  first and last of these aspects, whereas they
  should be focusing their efforts and resources on
  the middle two.

53
Evolving role of compliance

• Compliance like performance - is a prerequisite
  for doing and staying in business. The compliance
  function provides one, albeit essential, tool to
  enable management to fulfil stakeholders
  expectations of integrity and to protect the
  brand. Compliance costs would certainly appear
  modest when compared to the billions that can be
  wiped off share values if lapses in probity,
  governance or codes of conduct come to light.
  Essentially, meeting these challenges requires a
  more holistic and proactive approach to
  compliance which moves beyond statutory
  expectations to embrace broader ethical and
  strategic considerations. It means understanding
  the essential link between integrity, ensuring
  the right behaviours throughout the business and
  meeting strategic objectives. This approach
  should focus squarely on encouraging appropriate
  behaviours and the achievement of compliant
  business practices and processes (i.e., compliant
  outcomes) - rather than placing the onus solely
  on the compliance function.
• Certain common elements underpin such an
  approach
• Closer integration of governance, risk
  management and compliance structures, forming a
  practical continuum underpinning the overall
  integrity of the organisation and aligned to
  innovation and the achievement of strategic
  objectives
• A culture which breeds the right behaviours and
  instils integrity into the DNA of the
  organisation, fostering awareness and ownership
  of compliance at all levels of the organisation,
  supported by appropriate rewards, processes and
  procedures

54
Thank you for your attention
Clive Kelly 3rd December 2009