I1273818 - International Diploma in GRC - Unit 1

SEE GREEN SECTION
PAGE DOC
Un i t 1
Understanding G overnance,
R isk and Compliance
Unit 1 Understanding Governance, Risk
and Compliance
Learning Objectives
The purpose of this unit is to:
explain why we need regulation

examine the impact of the global credit crisis
consider whether existing regulation failed at the time
outline the underlying objectives of regulation
define governance, risk and compliance and examine why they are
intrinsically related.
Introduction
Before we examine the regulatory environment in which the financial services industry
operates, it is important for us to understand the diversity of the industry which has
regulation imposed on it. It operates on many different levels, each of which may be
further subdivided many times. Different countries maintain their own financial services
industries. These serve different market sectors and provide various forms of service to
different consumers in relation to different products.
Although economic liberalisation during the 20th century led to the development of
an unprecedented level of cohesion among national financial systems – to the extent
that there now exists a single global financial marketplace – that marketplace remains
diverse. The specific manner in which an international, regional, national or market
sector regulatory authority operates will depend on a variety of factors. These factors
will be influenced by the extent of the impact of the global financial crisis, the effects
of which started to emerge in 2007–8, and the different rates at which the national and
international markets have recovered from it.
This unit first explores why there is a need for regulation and then goes on to examine
some of the commonly accepted objectives of, and motivations for, regulation. The role of
regulators, their powers and how different regulators operate are explored in later units.
The starting point for understanding the regulatory environment is to understand why
we actually need regulation in the first place. This requires a brief history lesson on the
development of financial services, focusing upon the issues that led to the requirement for
regulation. For the purpose of this course we use the term ‘regulation’ to capture all types
of requirement, such as legislation, rules set by regulators, rules set by industry bodies,
recommendations from global bodies and codes of practice.
2
Unit 1 Understanding Governance, Risk and Compliance
1. Historical issues
We will look in detail at the regulatory timeline in Unit 3, section 1.1, but to
understand the need for regulation we must first understand what kinds of event
have led to regulatory change.
1.1 Scandals
Scandals come in a variety of different forms and have occurred quite frequently.
Some of the more widely publicised scandals that have led to new regulation
include those listed below.
The Barings Bank scandal in the UK in 1995 was the result of unauthorised
derivatives trading by one of the London bank’s traders, Nick Leeson, in
its Singapore offices. His activities led to losses of over £800m, causing the
collapse of the bank.
The UK pensions mis-selling crisis began in 1994 when it emerged that
many consumers, acting on flawed advice from salespeople, had swapped
their occupational schemes for private policies, leaving many of them
financially worse off at retirement.
In the UK, Equitable Life – the world’s oldest life assurer – almost
collapsed in 2000 following a failed attempt to reduce bonuses payable to
policyholders. The Equitable Life scandal spawned an investigation into the
supervisory role of the UK regulator at the time, the FSA, and a claim against
the former auditors of the assurer, Ernst & Young.
In the late 1990s, the collapse of a number of split capital investment trusts
caused 50,000 investors to lose money. Some of the products sold had been
misleadingly marketed as ‘low-risk’ investments.
False accounting, fraud and an absence of corporate governance
contributed to the downfall of Enron, the USA’s seventh-largest company, in
2001. Similar issues also led to the virtual collapse of Worldcom in 2002.
The US Securities and Exchange Commission (SEC) made allegations in
2003 against 12 leading banks, suggesting that they had compromised the
quality of their stock research in order to win lucrative investment banking
business. An investigation into the US investment fund industry was
launched in 2003 by the New York Attorney General, Eliot Spitzer, for alleged
after-hours trading and market timing activities.
In 2007–8, global financial markets were destabilised following rising
defaults on subprime mortgages in the US. These mortgage assets had been
packaged and sold as securitised products on international markets, often
marked as ‘low risk’. Some of the world’s leading investment banks collapsed
as a result. The US, UK, European and other governments have been
forced to undertake a massive bailout of the global banking sector, among
many other interventions. This ‘credit crisis’ (the so-called ‘credit crunch’) is
examined in greater detail in section 1.2 below.
In June 2012 the FSA fined Barclays Bank Plc £59.5m for misconduct relating
to the London Interbank Offered Rate (LIBOR) and the Euro Interbank
Offered Rate (EURIBOR).
In December 2012 the FSA fined UBS AG £160m (the largest fine imposed by
a UK regulator up to that time) for misconduct over the LIBOR rate.
3
In December 2012 HSBC was fined $1.9bn in the US for money laundering
and sanctions breaches, and entered into a deferred prosecution agreement
(DPA) with the US government.
In a further LIBOR fixing case in February 2013 RBS was fined £87.5m. This
was in addition to fines of approximately $300m imposed by US regulators.
In July 2014 BNP Paribas was fined a then record $8.9bn by US regulators
for processing billions of dollars of transactions for groups in Sudan, Iran
and Cuba between 2002 and 2012. The bank was given a one-year ban on
clearing certain kinds of dollar transaction.
The largest ever US fine of $16.65bn was levied on Bank of America in
August 2014 to settle charges that it sold flawed mortgage securities in the
years preceding the financial crisis. This case refers to the selling on of loan
packages known as residential backed mortgage securities (RMBS) that
the Bank knew failed to meet underwriting guidelines, or did not comply
with laws, or were inadequately collateralised. None of this information was
made available to investors in these RMBS.
In 2015, foreign exchange rate manipulation became the focus of regulatory

investigation and enforcement. In May of this year the US New York State regulator
the Department of Financial Services (DFS) fined Barclays $485m for trying to
manipulate the spot forex trading market, as part of a wider settlement in which
Barclays was fined $2.4bn by a series of UK and US regulators. This was followed
in November 2015 by another $150m (£99m) fine from the DFS for misleading
customers using its systems to trade currencies. It found that the British bank
would cancel customers’ trades if the markets moved against Barclays in the
fractions of a second between the order being placed and the trade taking place.
Some of these scandals are examined in more detail in subsequent units and are
also discussed as part of the workshops. Additional information on these cases can
be also found in the suggested further readings.
Each scandal further dents consumer confidence. A 2004 combined report on the
dot.com bubble produced by KPMG (the global accountancy practice) and the
think-tank Create stated:
Never have so many lost so much in such a short time. The breadth and depth of the
resulting disillusionment among investors has no precedents in the post-war period. It
was the crushing end of a dream for a generation that had been enticed to believe that
stock markets had magical powers.
And this quote pre-dates the financial crisis! Each time a scandal occurs,
governments and/or regulators feel compelled to react. Sometimes this involves
imposing new or enhanced regulation.
1.2 The global financial crisis
1.2.1 The lead-up to the financial crisis of 2007/2008
The popular term ‘credit crunch’ or ‘credit crisis’ is a little misleading as that was
really a consequence of the financial crisis, rather than an alternative name for the
crisis itself. The causes of the financial crisis, which came to a head in 2007, can
be traced back to a failure on the part of the authorities to recognise, or act upon,
4
various warning signs that should have been apparent to them much earlier in the
decade. Indeed, it is possible to make a case for the causes of the crisis to be traced
even further back to the repeal of the Glass–Steagall Act of 1933 in the US in late
1999 (see Unit 3 section 1.2).
Although it was the increasing default rate on sub-prime mortgage lending that
brought the crisis to a head, there were many warning signs in the years leading
up to the crisis, signs that to a large extent were ignored by the lenders themselves
and by the various regulatory bodies across the world.
Example: Failure to force banks to increase capital reserves
As early as 2003 concerns were being expressed not only by officials from
the central banks but also by senior officials from the Bank of International
Settlements (BIS) based in Basel. It was perhaps unfortunate that these concerns
were expressed mainly in private and, as a consequence, no action was taken to
ensure that banks increased their capital reserves. On the contrary, regulatory
rules in place at the time actually permitted banks to reduce reserves.
It should be pointed out that not everyone shared these concerns.
Example: US Federal Reserve ignored warnings
The US Federal Reserve held the view that the financial system was indeed
much stronger as a result of the innovative processes that had developed since
the start of the millennium. This was a view shared by many investors, financial
institutions and arguably by some regulators. The financial world had changed,
and changed for the better, or so they thought. This belief was underpinned by
the following assumptions.
Credit rating agencies provided cost-effective and reliable data and

information about even the most complex financial products.
The way in which capital markets had developed meant that banks would
always be able to trade their debt securities.
The ‘originate and distribute‘ model (popularly known as ‘slice and dice’)
had significantly reduced the risk of holding debt securities.
The third of these was one of a number of forms of financial innovation that had
taken place in banking in the Western world since the year 2000, whereby a lender
could ‘slice and dice’ loans and then turn them into transferable securities capable
of being sold on the market. The capital this freed up was then available for further
lending. It was believed that this securitisation would permit banks to manage risk
more effectively, and to reduce costs. Furthermore, it assumed that this would also
be an aid to financial stability as less concentration of risk suggested there would
be reduced risk of market failure.
The combined effect of these assumptions was that banks watered down the
criteria against which they were prepared to lend, investors were willing to
purchase financial products about which they had little or no understanding and
policymakers (including regulators) took a relaxed position in the belief that any
potential credit default would have no serious impact on a particular lender as the
5
risk was dispersed among many individual investors. Regarding the latter point, it
was believed that if a default issue arose this would have only a modest impact on
the bank concerned. In other words, the system would act as a shock absorber.
This line of thinking was reinforced throughout the early years of the new
millennium. Even when it became apparent that, globally, the issuance of credit
instruments was accelerating at a rapid rate (more than tenfold in the period 2000
to 2006) investors showed few, if any, signs of concern and continued their pursuit
of ways to enhance returns following a period of low interest rates. The authorities,
including regulators, gave the impression that they were similarly relaxed about
the situation.
When, in late 2006, default levels on sub-prime debt started to rise quite rapidly,
there was initially little cause for concern. Even when, also in late 2006, sub-prime
default rates started to escalate, investors remained confident that the financial
systems were sufficiently robust to deal with the losses. It was not long, however,
before the mood changed, and optimism gave way to doubts about the ability of
institutions to survive and the credibility of the regulatory environment in which
they operated.
The turning point was the implosion of a German lender, IKB, in the early summer
of 2007.
It was around that time that Hiroshi Nakaso, a senior official at the Bank of Japan,
came to the opinion that the global financial system was not going to be as
resilient as had been thought, especially by many policymakers in the US. ‘I see
striking similarities in what I see today with the early stages of our own financial
crisis more than a decade ago’, he privately warned international contacts shortly
after IKB imploded.
Not long after, in early August, the European Central Bank (ECB) injected €95bn into
the money markets in an attempt to prevent an escalation in borrowing costs –
a course of action the US Federal Reserve was to mirror shortly afterwards. While
these steps were promoted by both bodies as being pre-emptive actions designed
to calm market fears, the perception was quite the opposite: global markets
interpreted these policy decisions as a clear signal that all was not well. Serious
concerns started to emerge and it was not long before these started to gain
momentum and develop into panic.
Markets that had become so vital to lenders for raising funds started to dry up and
within a relatively short time contagion set in as the price of debt securities started
to slide. The knock-on effect was that banks in both the UK, the US and Europe
suffered liquidity crises: crises that posed a real threat to their solvency and ability
to survive.
1.2.2 So what went wrong?
This was a question even the Bank for International Settlements (BIS) was
struggling to answer. In its annual report for 20081 it asked: ‘How could problems
with sub-prime mortgages, being such a small sector of global financial markets,
provoke such dislocation?’
1. http://www.bis.org/publ/arpdf/ar2008e.htm
6
It also made the point that the duration of the turmoil, as well as its scope and
the growing evidence of effects on the real economy, had surprised most
financial commentators.
The same could be said for policymakers and the banking community in the West.
In fact, as mentioned above, Hiroshi Nakaso had seen it all before. For in Japan the
late 1980s saw the advent of booming asset markets on the back of easy access
to capital, which, in turn, was based on confidence provided by an expectation of
continuing property price increases. The authorities either failed to see the danger
signals or, if they did, were reluctant to take corrective action.
When, eventually, the Japanese government did react, the policy it adopted (a
more than doubling of interest rates over an 18-month period and an instruction
to the banks to curb lending to the real estate sector) led to a sharp decline in asset
values. Somewhat belatedly it was acknowledged that the pendulum had swung
too far the other way, so interest rates were lowered and liquidity was injected into
the markets. Unfortunately, the damage had been done and could not be easily,
or quickly, repaired. This led to a near-systemic collapse of the Japanese financial
system in 1997.
The Japanese experience is interesting in that the root causes of the crisis there
were very similar to the contributory factors to the crisis in the West, principally:
disregard of financial prudence

over-enthusiasm of the banks to lend, even where ability to service the debt
was questionable
lack of supervision on the part of senior management within the banks
ignorance of the impact of falling prices and asset sales on liquidity
the failure of both policymakers and regulators to intervene.
It is probably fair to say, however, that there were additional factors that
contributed to the ‘Western’ crisis. These include:
over-reliance on value-at-risk and other mathematical models

under-capitalisation of the banks
concentration of financial power in a relatively small number of institutions,
leading to a belief that they were too big to fail
belief that the ‘slice and dice’ model reduced risk, when actually it had the
opposite effect
lack of understanding on the part of those running the banks of the
products they offered or of the operation of financial markets in general
failure to understand the consequences of imbalances in the global economy
the ‘herd instinct’ mentality, which leads to irrational decisions being taken
by otherwise rational management when they follow examples set by
others without real analysis of the decision-making process.
1.2.3 Could anything have been done to avert the crisis?
While it has to be accepted that in any form of business operation there will always
be an element of risk, it is apparent from the above contributory factors that steps
could have been taken to minimise the risk that a crisis of this type and magnitude
would materialise.
7
There is a general consensus that more attention should have been given to issues
such as the control of asset prices (possibly by including these in central bank
targets), the application of tighter rules on both capital adequacy and liquidity, the
separation of retail and investment banking operations, the retention of financial
responsibility on the part of originators of debt under any form of ‘slice and dice’
arrangement, and better training of senior executives and boards of directors.
In addition, the crisis highlighted the need for much stronger prudential
supervision of the financial services sector and more cooperation and coordination
between governments, central bankers and other regulatory bodies internationally.
Matters relating to the effectiveness of prudential supervision in the UK before

and during the crisis are addressed below, while proposals for improvements are
covered in section 1.3 below, ‘The aftermath of the financial crisis‘.
It would be reasonable to assume that the authorities failed to recognise the

warning signs of the impending crisis. While this is partly true, the main issue
appears to have been that, even where they were alerted, they failed to react in
a way that would have minimised the impact. Those who did express concerns in
advance of the crisis included the Governor of the European Central Bank (ECB), who
warned of the need to re-price credit risk. He was also particularly concerned about
the opacity of some aspects of the innovation that had taken place in the financial
sector. Indeed, there was a general impression that the ‘slice and dice’ concept was
contributing to the ever-increasing credit bubble and forcing down borrowing costs
to artificial and unsustainable levels. There were similar reservations about the high
levels of leverage (the ratio of a company's debt to the value of its equity) and the
fact that lenders were watering down the criteria against which they were willing to
lend (sub-prime mortgages being a classic example).
Moving away from prudent lending, based on proven ability to repay, to what is
sometimes referred to as ‘pawn-broking’ (that is, lending against the value of an
asset, typically real estate) is not a recent phenomenon. The secondary banking
crisis of 1973 was caused in part by property bubbles, coupled with a lack of
regulation as restrictions on banking competition were lifted. Similarly, the boom
period in the late 1980s saw banks adopt a philosophy of ‘If we don’t lend someone
else will, so we might as well have the business’, only for problems caused by such
poorly considered lending to appear as the country went into recession in the
early 1990s.
Concerns about missing out in times of growing demand for loans recur time after
time. Retaining, or gaining, market share seems to take precedence over the quality,
and ultimate profitability, of the transaction, regardless of the risk implications.
Such an approach is reflected in the response given by the chief executive of a UK

clearing bank to a former chairman of the Basel Committee on Banking Supervision
at a time when the Bank of England was advising caution about the rate of growth
in bank lending. Essentially, this was along the lines that to adopt a more cautious
approach would result in a loss of market share.
On the question of reliance on risk models, two years or so before the crisis came
to a head, the president of the New York Federal Reserve flagged up the need for
8
banks to prepare for extremely negative events. These are events that he termed
‘fat tails’ and that are likely to occur more frequently than indicated by the risk
models traditionally used in banking. Whether such advice was heeded it is difficult
to say with certainty as by that time the fundamental causes of the crisis had
already taken root.
1.2.4 The unfolding of the crisis
By the summer of 2007 credit agencies had started to downgrade what had
previously been considered to be safe debt, causing prices to crash. Faith in the
agencies consequently fell away as investors believed that ratings could no longer
be relied upon, particularly where complex debt instruments were concerned. The
safe option was not to purchase these securities at all. This had serious implications:
it resulted in an almost immediate funding crisis because many of the investment
vehicles had obtained funding by issuing notes in the asset-backed commercial
paper markets.
A chain reaction ensued, with banks unable to convert mortgages into bonds that
could then be sold on. The belief that capital markets would always remain liquid
was found to be unjustified, as was the idea that dispersion of risk by using ‘slice
and dice’ methods would afford protection in the event of a financial crisis. In short,
all three of the assumptions against which the stability of the financial system was
assessed were disproved when the crunch came.
As confidence in the financial system disappeared and it became increasingly

difficult to establish the financial credibility of participating institutions, banks
started to retain their cash reserves and stopped lending to one another. The next
stage was for the reconstruction of balance sheets, achieved by reducing lending to
hedge funds and selling assets. This had yet another adverse effect on asset prices,
negatively affecting balance sheets once again.
There were, however, a number of other contributory factors to the crisis. Some
commentators argue that it was the direct result of changes in the Basel capital
requirement rules from 2000 onwards, which allowed banks to operate with lower
levels of capital, that encouraged greater access to mortgages by borrowers with
less complete credit histories or irregular income sources (the sub-prime market).
Others attach blame to policymakers who, for political considerations, refused to
act to prevent the development of asset-price bubbles, a lesson not heeded from
past financial crises.
Brian Quinn, who was once head of supervision at the Bank of England,
expressed the view that ‘the mixture of deregulation and structural change,
together with inappropriate fiscal, monetary and exchange rate policies, seemed
especially malign’.
It is perhaps for these reasons that regulators were reluctant to apply stronger
measures when it became apparent that action was urgently needed.
There is also an argument that this crisis differed from earlier ones in the post-war
era in that, for example, in the US the authorities were faced with the ‘triple-
challenges’ of the over-leverage of financial institutions, excessive consumer
9
debt and a deep economic recession. Any controls imposed to address the first
two would have been likely to have deepened the recession further or to have
prolonged it.
Although the BIS Basel Accords initially acknowledged that capital adequacy
and liquidity formed two underpinning pillars of the financial system, some
commentators believe that there was too much emphasis on the former and not
enough on the latter. Certainly, the 8% capital requirement imposed by Basel was
found to be inadequate when the causes of the crisis were analysed. Overreliance
on the capital requirement may possibly have arisen in part because it is easier
to measure than liquidity, partly because the latter is more directly influenced by
macroeconomic factors.
In the UK, the near-demise of retail mortgage lender, Northern Rock, was the
result of its dependence on the wholesale capital markets to bridge the gap
between what it was lending and the funds available from its retail operations.
In effect, it was lending long term and borrowing short term. When the capital
markets dried up the bank was not in a position to renew or replace its short-term
funding and consequently could not maintain its liquidity. It was only when the
bank got into difficulties that questions were asked about the sustainability of this
business model.
Not only did Northern Rock’s senior management fail to assess properly the
potential risk that funding might not be available from the capital markets, but
there was also a lack of action by those responsible for prudential supervision
of the bank. It is all very well claiming that ‘over reliance on credit markets is
dangerous‘, a conclusion reached after the event, when there was an almost
universal failure to recognise the risks involved when the bank was supposedly
achieving outstanding growth in its mortgage lending.
It is worth noting that Northern Rock was, on the basis of Basel II criteria, a
well-capitalised financial institution; so much so that the UK regulator, the FSA,
was willing to sanction a 30% increase in its dividend regardless of the fact that it
lacked the cash needed to make the payments. Mervyn King, then Governor of the
Bank of England, drew an interesting comparison that in the 1960s banks retained
30% of their assets in a readily liquefiable form, mainly Treasury bills or gilt-edged
securities. By 1997 this had fallen below 5% and remained at or below that figure
for the next decade.
1.2.5 Why existing regulation failed
In the immediate aftermath of the crisis there was much written about the need
for more regulation to ensure that banks and other financial institutions would be
strong enough to weather any future crisis that might arise. In fact, when this point
of view is compared with the results of the Banking Banana Skins Report 20062, a
survey published by the Centre for Study of Financial Innovation (CSFi) that placed
excessive regulation at the top of the list of financial risks, it can be seen that the
matter is not quite as simple as it first seems.
2. http://static1.squarespace.com/static/54d620fce4b049bf4cd5be9b/t/5536a03ce4b0b9ccfef0
fb72/1429643324396/Banana+Skins+2006+UK.pdf
10
Concerns expressed by respondents to the CSFi survey included the constant flow
of new regulations, their anti-competitive nature and the cost involved in their
implementation. One principal area for concern was that introducing what was
seen as too high a level of regulation in the UK would lead to the loss of business to
overseas jurisdictions with ‘lighter’ regulatory regimes. It is also interesting to note
that the Insurance Banana Skins Report of the following year (2007) also identified
excessive regulation as the number one risk.
Even back in 2002, the President of the British Bankers Association (BBA – a UK
trade association) was unconvinced about the level of supervision facing UK banks.
At that organisation’s Supervision Conference he made the following points.
We live in an increasingly complex and volatile world – one that is difficult to predict,
control or regulate. The financial services industry is concerned that regulators are too
concerned with consistency and not enough with flexibility. Moving too much towards
rules and too much away from principles.
Prudential regulation designed to underpin the soundness of the financial system is one
thing, intrusive intervention into the commercial activity of businesses operating in a
competitive marketplace is quite another.
There are a number of completely unregulated businesses that compete directly with
banks. I know Sir Howard [Davies – Chairman of the FSA] and his colleagues have
looked at how hedge funds operate. However, I would encourage him and his fellow
regulators to think about how the activities of firms that participate in the price-
formation process in the wholesale markets could impact on systemic stability or
distort competition.
Regulators around the world must recognise that ‘unusual’ behaviour is not
necessarily increasing risk. In fact, systemic risk is more often the result of
behaviours that just follow the accepted ones without questioning them.
As with most aspects of business, it is therefore a case of trying to strike a sensible,

working balance. The debate continues as to what more the regulators could, and
should, have done to avoid the crisis. One common criticism is that, even when
they had concerns, they failed to act.
Example: Regulators’ failure to act
Both the Bank of England and the UK Financial Services Authority (FSA)
expressed concern about the level of lending being undertaken by the banks,
and the associated risks, on a number of occasions but did little about it. A
report produced by the House of Commons Treasury Select Committee severely
criticised both bodies for their failure to ensure that financial institutions were
fully prepared for the worldwide reduction in credit availability, almost to
the closure of the financial markets. Its chairman, John McFall, said ‘It is clear
that many market participants failed to heed the warnings about a serious
underpricing of risk and the potential for impaired liquidity in financial markets in
the mistaken belief that the good times would go on and on’.
11
The committee recommended that in future, where there were grounds for
concern about a particular bank, the FSA and the Bank of England should write
a letter to its directors highlighting two or three of the key risks. In response, the
bank would be expected to confirm that the risks had been considered, following
which a commentary on the response would be published.
The Bank of England and the FSA had been two of three parties to a memorandum
of understanding signed in October 1997, a few months after the Labour
administration took office, the Treasury being the third party. This became known
as the Tripartite Arrangement (or Tripartite Agreement) and set out the respective
roles of each of the parties in supervising and regulating the financial system in the
UK. Each was supposed to have equal authority.
The Northern Rock crisis revealed a number of shortcomings with this

arrangement, and criticism of all three parties, individually and collectively,
followed. The chairman of the FSA, the Governor of the Bank of England and the
Chancellor of the Exchequer were all accused of failing to take decisive action.
It was claimed that the FSA chairman failed to anticipate the crisis and that the
Governor of the Bank of England attempted to block a rescue of Northern Rock. In
response to the latter accusation, the Governor claimed that the Bank would not
have been complying with the European Market Abuse Directive had he sanctioned
covert action to save Northern Rock (Northern Rock’s head office was located,
purely coincidently, in Prime Minister Tony Blair’s parliamentary constituency).
This point of view was, however, challenged by the European Commission, which
insisted that the Directive contained sufficient flexibility, therefore allowing the
rescue of the bank to remain secret until the danger of any run on it had passed.
Despite this insistence, the Bank of England maintained its position that it could
not have intervened.
There is also a debate over whether regulation of the banking sector should have
been in the hands of the same body responsible for supervising the stock market
and the selling of insurance products and unit trusts, an opinion echoed by Charles
Goodhart of the London School of Economics, a former adviser to the Bank of
England. In a report published by the CSFi in 2007, he commented ‘There is some
fear that a unified regulator will come to be dominated by the legalistic culture this
tends to engender‘.
In an article in the Financial Times in 2008, Goodhart, along with Avinash Persaud of
Gresham College, also expressed reservations about the effectiveness of the Basel II
Accord, claiming that it was ‘pro-cyclical’ in nature. By this he meant that it provided
too much encouragement for banks to accumulate assets on an economic upswing
and not sufficient emphasis on the need to manage their capital when a downturn
occurs. One of the reasons for this is that Basel II uses a risk-measuring formula
based on market prices. So, when the outlook is positive, banks are able to lend
more, but there is no mechanism for reversing the trend when the climate changes.
Another factor that some believe may have contributed to the crisis, and that
relates to the dual role of those banks involved in both retail banking and
investment banking, is that while investment banking has the potential to produce
excellent returns for shareholders and investors, the risks are considerably greater
12
than those of retail banking. The extent to which this dual role contributed to the
banking crisis in the UK sector is still unclear and has been the subject of much
political debate.
And then there was Basel II. Although it did not actually contribute to the crisis,
some believe that it proved totally ineffective in avoiding its occurrence. One of
the issues was that it had taken a long time for all parts of it to be implemented.
There are grounds for thinking that had it been fully in place before the crisis
came to a head in 2007 then the rules on securitisation might have avoided the
consequences of ‘slice and dice’ as participating banks would have required higher
levels of capital to meet the capital adequacy requirements.
Basel II also seemed to provide little help to the regulators in restraining ever-
escalating debt levels, despite the fact that the risks were being highlighted. The
fear is that, in the event of a future crisis, Basel III will not be able to prevent serious
problems (see Unit 5, sections 6.2.3–6.2.5). Only time will tell.
1.3 The aftermath of the financial crisis
As in Japan a decade or so earlier, one of the main challenges facing policymakers

and regulators around the world in the aftermath of the financial crisis was to
restore confidence in financial institutions and the financial system in which they
operate. This has proved to be a lengthy process and there are many opposing
points of view about the steps that needed to be taken, how quickly and by whom.
The immediate need, and one on which there does appear to be a general
consensus, was for an increase in the level of capital that banks are required to
hold. Basel III and the CRD4 are examples of international regulatory measures that
can bring this about (see Unit 5, sections 6.2.3–6.2.5).
In the longer term, decisions still have to be made about issues such as the
separation of retail banking and investment banking roles, and in many
jurisdictions the restructuring of the regulatory system is complete, through the
implementation of proposals to separate the prudential and conduct of business
regulation responsibilities.
It is probably fair to conclude that investor confidence remains variable, although

the crisis is over. The concern remains that some of the more draconian steps
initially proposed will, as time passes, be watered down for fear that some financial
institutions will consider moving from their more highly regulated bases to more
liberal regulatory jurisdictions (regulatory arbitrage).
2. Do these failings represent regulatory failure?

It is very easy to criticise both governments and regulators with the benefit of
hindsight and apportion blame, and indeed we have seen this in recent years.
It is true that the impact of the scandals mentioned in this unit, and particularly
of the credit crisis, could have been reduced if better controls had been in place
and had been implemented more effectively. However, we must remember that
the impact could also have been much worse if the existing controls had not
13
been there, and indeed other scandals could have arisen that the existing controls
did prevent. Therefore it is more constructive to analyse what happened in all
these cases, to identify the mistakes made so that lessons can be learned and
improvements made.
It is natural for regulation to be reactive to events as it is impossible to foresee all

possible events. The challenge for governments and regulators is to react speedily
and appropriately.
3. The objectives of regulation

First, let us examine what is meant by the term ‘regulation’. The concept of
regulation is neither new nor exclusive to financial services markets. Most industries
have some form of regulation with which to comply, whether based on statute
or on broader codes of practice. The word generally refers to a set of binding
rules issued by a private or public body with the necessary authority to supervise
compliance with them and apply sanctions in response to their violation. Unit 3,
sections 1.3 and 3 will outline different types of regulatory authority and a number
of different types of regulation.
There is no single agreed theory behind financial services regulation. Its objectives
have been debated for many years. More recently, in the wake of the recent global
financial crisis, there has been significant criticism of the regulatory regimes in
many jurisdictions and the effectiveness of regulation itself in failing to prevent
high-profile banking failures. More recently still, the emergence of additional
financial scandals has further undermined public perception of the effectiveness
of regulation.
It is, however, generally agreed that the broad objectives of financial services
regulation are commendable. This is despite extensive debate on whether the
methodology employed by regulators is correct and occasional strong industry
protests against additional regulatory requirements which are perceived to
increase bureaucracy.
3.1 The central regulatory objectives
3.1.1 Consumer protection
Consumers of financial services need to know that they will be protected by

regulation. That is to say, that the regulations in place will be effective in preventing
firms and individuals from taking advantage of consumers, clients and individual
customers from putting their own interests first. Part of the reason for this is
something known as ‘information asymmetry’, where there is a large gap between
the information and knowledge available to the providers of the products and
services and that available to the consumers of these products and services.
Unfortunately history is full of examples of failures in this objective, sometimes

caused deliberately and sometimes accidentally. To achieve this objective,
regulators have been concentrating on what has become known as ‘conduct
of business’ regulation, and the behaviours of firms and individuals towards
their customers.
14
3.1.2 Facilitating fair, efficient and transparent markets
This is the objective that links investor protection with the prevention of activities
that can be considered to be improper. Regulation should aim to give consumers
access to markets and relevant information, and should also promote practices that
ensure fair treatment.
Efficiency in this context is about the transferring of all relevant information in

good time so that it helps to regulate the supply of, and demand for, products and
services. Regulation should promote this market efficiency.
Transparency relates to how much information is available to consumers about

the products or services they are, or are considering, buying. To help ensure that
consumers are not disadvantaged the objective of transparency is to remove
the risk of non-disclosure of information, or the inequalities that are a feature of
information asymmetry.
3.1.3 Reducing systemic risk
Although it is not the role of regulators or legislators to prevent the failure of firms
in normal market conditions, they do have a role in ensuring that any failures do
not affect other market participants – something also known as the contagion
effect. As some banks, insurers and other financial firms have become more
and more global in their operations, a greater risk of systemic failure has also
developed. This remains a key issue in the regulatory agenda despite the efforts
completed since the financial crisis, where the systemic risks of contagion became
real issues.
It must be remembered that regulation should not limit legitimate risk taking, as
this is essential to an active financial services marketplace. Instead, the regulation
should promote effective risk management and make sure that risk taking is
supported by sufficient capital and liquidity, so that any losses can be absorbed.
3.1.4 Reducing financial crime
Financial crime damages the financial services industry because it reduces market
and consumer confidence, and the fairness and transparency of the markets.
Regulators must aim to protect consumers and prevent firms from being used as
a channel for financial crime. Regulators need to take actions to ensure firms have
systems and controls in place to mitigate financial crime risk, and must also ensure
that their own activities are such that the action they take as supervisors of the
industry will also reduce the risks posed by financial crimes.
3.1.5 Enhancing consumer confidence
This is a combination of the consumer protection objective and of the objective

of the promotion of fair, efficient and transparent markets as described above.
Consumer confidence is a vital element in the success of a financial market, and as
a consequence it can also be identified as a legitimate regulatory objective.
15
Increasing consumer confidence can therefore be seen as being an objective

stemming from other regulatory objectives: if consumers are confident that
the financial services companies will treat them fairly they consequently have
confidence in the markets. Equally, if consumers and investors know the market
is fair, efficient and transparent then they are more likely to invest in the market
in question.
3.1.6 Promoting and protecting the reputation of the market
The financial services market is often a key component of a country’s economy,

both as an industry in its own right, and as an ‘engine’ which drives the economy.
This makes it in a government’s best interests to make sure the industry can grow
and be successful. Care needs to be taken, as a potential conflict of interest can
arise for the regulator. While strong and effective regulation is in the long-term best
interests of the regulator, short-term decision making could be compromised by
the desire to avoid creating bad publicity, as may be the case with a controversial
enforcement action taken against a major firm in the jurisdiction.
To combat this risk, many jurisdictions create a separate independent body to avoid
any potential conflict of interest.
3.2 IOSCO’s core objectives
In 2003,3 the International Organisation of Securities Commissioners (IOSCO)

summed up the three core objectives that underpin regulation as:
1. the protection of investors

2. ensuring that markets are fair, efficient and transparent#
3. reducing systemic risk (in other words, preserving the integrity of markets).
Although IOSCO specifically concerns itself with securities regulation, the

objectives apply equally well to other markets, and they have been largely adopted
by regulators around the world. The IOSCO statement and report was updated in
2010,4 when the original principles from 2003 were reiterated and grouped into
nine separate categories, which refer to:
Principles relating to regulators

Principles of self-regulation
Principles for the enforcement of securities regulation
Principles for cooperation in regulation
Principles for issuers
Principles for auditors, credit reference agencies and other information
service providers
Principles for collective investment schemes
Principles for market intermediaries
Principles for secondary markets.
3. https://www.iosco.org/library/pubdocs/pdf/IOSCOPD154.pdf.
4. https://www.iosco.org/library/pubdocs/pdf/IOSCOPD323.pdf.
16
3.3 Examples of different regulators’ objectives
3.3.1 UK regulatory objectives
Until April 2013 the Financial Services Authority (FSA) was the UK’s single
regulator of financial services. The FSA’s statutory objectives were first defined
in the Financial Services & Markets Act 2000 (FSMA). The FSA’s original statutory
objectives under FSMA were to:
maintain confidence in the UK financial system

promote public awareness of the financial system
secure the right degree of protection for consumers
reduce financial crime.
Both as a reaction to the impact of the financial crisis, and in anticipation of

regulatory reform, the Financial Services Act 2010 replaced the ‘public awareness’
objective with the objective of maintaining financial stability: ‘contributing to the
protection and enhancement of stability of the UK financial system’.
The UK government’s reform of the regulatory structure has now been

implemented. On 1 April 2013, the FSA’s tenure as the single statutory regulator of
financial services in the UK was brought to an end when two new regulators, the
Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA)
replaced it.
The PRA is a division of the Bank of England, and is responsible for ‘prudential’
regulation; promoting the stable and prudent operation of the financial system
through regulation of all deposit-taking institutions, insurers and investment banks.
The FCA is responsible for ‘conduct of business’ regulation; the day-to-day

supervision of the conduct of retail financial services providers in relation to the
marketing, promotion and selling (and post-sale administration) of retail products.
The FCA is also responsible for the conduct of the wholesale financial markets and
the infrastructure that supports them. The FCA will also have a prudential role,
being the prudential regulator for all regulated firms operating outside the defined
scope of the PRA.
In April 2012, before the transfer to the new regulatory regime, the FSA had
implemented a new internal structure that mirrored as closely as possible the
supervisory responsibilities of the PRA and FCA. This was to facilitate a smooth
transition to the new regime and to give the financial services industry an
indication of how the new regulatory landscape would operate before it actually
came into force.
The PRA, being a division of the Bank of England, enjoys close working
relationships with other parts of the bank, including the Financial Policy Committee
and the Special Resolutions Unit. It is responsible for the prudential regulation
and supervision of banks, building societies, credit unions, insurers and major
investment banks. Its role is divided according to three statutory objectives:
17
promoting the safety and soundness of the firms it supervises

contributing to the securing of an appropriate degree of protection for
insurance companies‘ policyholders
facilitating effective competition in the industry.
The PRA advances these objectives through regulation, by setting standards and
policies that it expects firms to follow and, through supervision, by assessing the
risks firms pose and taking action to reduce them. It also makes an important
contribution to the Bank’s core purpose of protecting and enhancing the stability
of the UK financial system.
There are three main characteristics of the PRA‘s approach to supervision:
a judgement-based approach in determining whether financial firms are

safe and sound
a forward-looking approach, appraising not only current risks, but also those
that may arise in the future
a focused approach, concentrating on those issues and firms that pose the
greatest risk to the stability of UK financial system and to policyholders.
Significantly, there is no ‘zero-failure’ regime in place. The PRA would seek to ensure
that any financial firm that fails does so in a way that would avoid significant
disruption to the supply of critical financial services.
The FCA is governed by a board appointed by the UK’s HM Treasury, and is

accountable both to HM Treasury and to Parliament. It is responsible for meeting
the strategic objective of ensuring that markets function well, and to support this
there are three operational objectives:
to secure an appropriate degree of protection for consumers

to protect and enhance the integrity of the UK financial system, and
to promote effective competition, in the interests of consumers.
So, there is an overlap between the FCA and the PRA in their objectives of
protecting and enhancing the financial system.
The FCA’s remit is founded on the principles of good regulation:
efficiency and economy – using money in the most efficient way

proportionality – making sure that any imposition or restriction is
proportional to the benefits expected to result
consumers’ responsibility – for their own decisions
senior management‘s responsibility – for risk management and controls
within firms
openness and disclosure – in the information published by the FCA and by
regulated persons, with the aim of promoting consumer knowledge
transparency – exercising functions as transparently as possible, providing
information on regulatory decisions.
18
The FCA aims to fulfil this remit by regulating firms, protecting and championing
consumers, and enforcing where needed. It will intervene when it believes that
firms are treating customers unfairly or behaving in ways that risk the integrity of
the market, and will supervise firms differently depending on their size and the
nature of their business. In addition, the FCA works with firms to fight financial
crime, works to ensure that customers get a fair deal, and aims to maintain a
credible deterrence through its enforcement approach.
One of the principles of regulation applicable to both the PRA and the FCA is
that they should ensure that regulation is proportionate. In setting regulations,
they are therefore required to strike an appropriate balance between protecting
the market from collapse and permitting legitimate and considered risk taking.
Risk is essential for an active financial marketplace. Regulators cannot prevent
financial services businesses from failing, but they aim to inhibit this by imposing
capital adequacy and internal control requirements. These requirements are
designed to ensure that there is sufficient liquidity for financial institutions to
meet their obligations, making them less vulnerable to hasty withdrawals by
depositors or investors, and other market shocks.
3.3.2 US regulatory objectives
In the US there is a general distinction between the regulators that focus on

prudential controls and those that focus on disclosure and conduct. Four
federal agencies have prudential authority over banks, thrift companies and
credit unions:
the Office of the Comptroller of the Currency (OCC)

the Federal Deposit Insurance Corporation (FDIC)
the National Credit Union Administration (NCUA)
the Federal Reserve Board (the Fed/FRB).
Two agencies oversee the markets for financial contracts (securities and derivatives):
Securities and Exchange Commission (SEC)

Commodity Futures Trading Commission (CFTC).
Two agencies supervise ‘other’ activities (government-sponsored enterprises in

housing and consumer financial products):
Federal Housing Finance Agency (FHFA)

Consumer Financial Protection Bureau (CFPB).
Three other entities facilitate communication and coordination in member

agencies, and they either regulate an activity regardless of the type of agency
involved, or provide prudential regulation to non-banks:
Financial Stability Oversight Council (FSOC)

Federal Financial Institutions Examinations Council (FFiEC)
President’s Working Group on Capital Markets (PWG).
19
How does this system work in practice?
Prudential bank regulators and the FHFA monitor and limit the risks in which
their chartered firms engage. Securities and derivatives regulators monitor the
exchanges where financial contracts are traded, oversee the firms’ disclosure, and
enforce the rules against deceptive or manipulative trading practices.
A specific event is often regulated by multiple agencies because firms subject

to institutional regulation may conduct transactions subject to activity-based
regulations. An example that illustrates this is the JP Morgan London Whale
Trades. In response to the question ‘who is JP Morgan’s regulator?’ the answer
has to be ‘several’:
risk management is subject to prudential regulation by the OCC at the

depository level
risk management is subject to prudential regulation by the FRB on a
consolidated basis
disclosure of trades to stockholders is regulated by the SEC
derivatives transactions are regulated by the CFTC
safety and soundness as an insured depository institution is subject to
the FDIC.
The US has historically provided one or more regulators for each category of
financial regulation, rather than a single agency with authority for all financial
markets, activities and institutions.
There has been debate over bringing all these into a single agency – in the debate
over the Dodd–Frank Act (see Unit 4, section 4.3.1) there were proposals to create
a single financial institution regulatory authority but, when passed, it created two
new agencies and merged the Office of Thrift Supervision with the OCC.
The US view is that there are four ways to regulate financial firms and services:
regulate certain types of financial institutions

regulate a particular market
regulate a particular financial activity
regulate for systemic risk.
The regulatory architecture is described in the following table.
20
Regulatory agency Institutions Emergency/Systemic Other notable

regulated risk powers authority
Federal Reserve Bank holding Lender of last resort Numerous market-
firms and some to member banks level regulatory
subsidiaries, financial authorities, such as
holding firms, those overseeing
saving and loan checking-services,
holding firms, and lending markets,
any firm designated and other banking
as systemically related activities
significant by FSOC
State banks that In unusual
are members of circumstances the Fed
the Federal Reserve may extend credit
System, US branches beyond member banks
of foreign banks, to provide liquidity to
foreign branches of the financial system
US banks but not to aid failing
financial firms
Payment, clearing May initiate resolution
and settlement process to shut
systems designated down firms that pose
as systemically a grave threat to
significant by FSOC, financial stability. The
unless regulated by FDIC and the Treasury
SEC or CFTC have similar powers
Office of the National banks,
Comptroller of the federally chartered
Currency (OCC) thrift institutions
Federal Deposit Federally insured After identifying Operates a deposit
Insurance depository systemic risk, insurance fund for
Corporation (FDIC) institutions, including FDIC may invoke federally and state
state banks and thrift broad authority chartered banks and
companies that to use deposit thrift companies
are not members insurance funds to
of the Federal provide assistance
Reserve System to depository
institutions, including
debt guarantees
National Federally chartered or Serves as a liquidity Operates a deposit
Credit Union insured credit unions lender to credit insurance fund for
Administration unions experiencing credit unions, the
(NCUA) liquidity shortfalls, National Credit Union
through the Central Share Insurance Fund
Liquidity Facility
21
Regulatory agency Institutions Emergency/Systemic Other notable

regulated risk powers authority
Securities Securities exchanges, May unilaterally close Authorised to set
and Exchange brokers and dealers; markets or suspend financial accounting
Commission (SEC) mutual funds; trading strategies for standards that all
clearing agencies; limited periods publicly traded firms
investment advisers must use
Nationally recognised
statistical rating
organisations
Security-based swap
(SBS) dealers, major
SBS participants, SBS
execution facilities
Corporations selling
securities to the
public must register
and make financial
disclosures
Commodity Futures exchanges, May suspend trading,
Futures Trading brokers, commodity order liquidation of
Commission (CTFC) pool operators, positions in market
commodity emergencies
trading advisers
Swap dealers, major
swap participants
and swap execution
facilities
Federal Housing Fannie Mae, Freddie Acting as conservator
Finance Agency Mac, and the Federal for Fannie May and
(FHFA) Home Loan Banks Freddie Mac
Bureau of Non-bank mortgage- Writes rules to carry
Consumer Financial related firms, private out the federal
Protection student lenders, consumer financial
payday lenders, and protection laws
larger consumer
financial entities to
be determined by
the bureau
Consumer businesses
of banks with over
$10bn in assets
Does not supervise
insurers, SEC and
CFTC registrants, auto
dealers, sellers of non-
financial goods, real
estate brokers and
agents, and banks
with assets of less
than $10bn
22
3.3.3 Hong Kong regulators
The Hong Kong Monetary Authority was established in 1993 to ensure that the
central banking functions of maintaining banking and monetary stability can be
exercised in a way that commands the confidence of domestic and international
consumers. It also exists to maintain currency stability, and to promote the
efficiency and development of the financial system.
The Securities and Futures Commission is an autonomous statutory body established

in 1989 for administering the laws governing securities and futures markets. It seeks
to maintain and promote the fairness, efficiency, competitiveness, transparency
and orderliness of securities and futures and to protect investors. It has regulatory
oversight of Hong Kong Exchanges and Clearing Ltd and its subsidiaries.
The Office of the Commissioner of Insurance administers the legislation governing

insurance companies and intermediaries, and is a government division, and it
also covers prudential supervision. The Commissioner of Insurance is appointed
as the Insurance Authority (IA). Developments include the appointment of an
Independent IA to give the new regulatory body more flexibility and to enhance
the regulation of insurers and intermediaries, which is likely to occur in 2015. It also
obliges intermediaries to pass a qualifying examination and to attend continuous
professional development (CPD) programmes.
The Mandatory Provident Fund Schemes Authority was established in September

1998 as an autonomous, statutory body responsible for regulating, supervising and
monitoring the operation of the MPF system. Its objective is to ensure the provision
of retirement protection for Hong Kong’s workforce through an effective and efficient
system of regulation and supervision of privately managed provident fund schemes.
3.3.4 Singapore regulators
The ultimate objective of the Monetary Authority of Singapore (MAS) is ‘to promote
sustained and non-inflationary economic growth, and a sound and progressive
financial services sector’. This mission is supported by six clear desired outcomes:
1. a stable financial system

2. safe and sound intermediaries
3. a safe and efficient infrastructure
4. fair, efficient and transparent markets
5. transparent and fair-dealing intermediaries
6. well-informed and empowered consumers.
To achieve its objectives the MAS performs six distinct oversight functions:
regulation, authorisation, supervision, surveillance, enforcement and resolution. In
addition, it undertakes to facilitate sound corporate governance, effective market
discipline, a high level of consumer education and a basic consumer safety net.
3.3.5 Dubai International Financial Centre regulator
The Dubai Financial Services Authority (DFSA) is the independent regulator of all
financial and ancillary services conducted through the Dubai International Financial
Centre (DIFC), a purpose-built financial free-zone in Dubai.
23
The DFSA’s regulatory mandate covers asset management, banking and credit
services, securities, collective investment funds, custody and trust services,
commodities futures trading, Islamic finance, insurance, an international equities
exchange and an international commodities derivatives exchange.
The DFSA is also responsible for the regulation and supervision of persons in the
DIFC in relation to anti money laundering, counter terrorist financing and sanctions
compliance. The DFSA’s stated approach is: ‘To be a risk-based regulator and to
avoid unnecessary regulatory burden’ – believing regulation should be directed at
the mitigation of risks that would otherwise be unacceptable. It also believes that
compliance obligations should be proportionate to the mitigation of those risks
within a framework that enables regulated entities to effectively and efficiently
meet their compliance obligations.
The DFSA has a statutory obligation to pursue the following objectives:
to foster and maintain fairness, transparency and efficiency in the

financial services industry (namely, the financial services and related
activities carried on) in the DIFC
to foster and maintain confidence in the financial services industry in
the DIFC
to foster and maintain the financial stability of the financial services
industry in the DIFC, including the reduction of systemic risk
to prevent, detect and restrain conduct that causes or may cause
damage to the reputation of the DIFC or the financial services industry in
the DIFC, through appropriate means including the imposition of sanctions
to protect direct and indirect users and prospective users of the financial
services industry in the DIFC
to promote public understanding of the regulation of the financial services
industry in the DIFC
to pursue any other objectives as may be set under DIFC Law.
4. Effective GRC
Governance, risk and compliance (GRC) forms an evolving field of focus for firms
today. In the past few years, GRC has grown in both criticality and value to firms
needing to deal with shifting business environments. The definition of GRC has
matured in response to changing regulatory and corporate governance needs. GRC
initiatives can affect the entire firm and have been a conduit for pulling together
functions within a business that rarely collaborated in the past.
GRC is an umbrella term which covers a firm’s approach to the three distinct
disciplines of governance, risk management and compliance. These are very closely
related: the activities involved in each need to be carried out alongside those
of the other two in order to avoid conflicts, overlaps and omissions. In the vast
majority of financial services firms, GRC will comprise corporate governance, risk
management and compliance with the laws, regulations, and standards that apply
to the industry.
We will take a look at each of these separately.
24
4.1 Governance
The term ‘governance’ is derived from a Greek verb meaning ‘to steer’. In theory it is
a general concept, which leads to a narrower practical definition when applied to a
specific activity or industry. So, in relation to financial services companies, we refer
to corporate governance. This consists of the processes, policies, laws and accepted
ways of doing business, and how these affect the way a firm is controlled. It must
also include the relationship between a company’s stakeholders and the business
goals the company seeks to achieve.
The key stakeholders in a firm include customers, shareholders, management and

other employees, and the regulators who supervise the industry. Increasingly, focus
is placed on other stakeholders, including the community, the environment, and
even other firms in the same market.
Later in the course, we will look at corporate governance and how to define the
subject, and explore the interrelationships between compliance, risk and corporate
governance in greater detail.
4.2 Risk
As emphasised by the Institute of Risk Management (IRM),5 there is a need for firms
to understand the risks they take in the course of working towards meeting their
objectives. In the case of financial services firms, the senior management and board
of directors must understand the levels of risk that are inherent in their activities
and in the processes that are followed within these activities. So, it is extremely
important for firms to recognise the most significant risks, and to prioritise
their actions to reflect these. This is achieved through robust and cohesive risk-
management activity, and we will concentrate on this subject in Unit 6.
Risk can affect a firm in the short, medium and long term, and these timeframes
can link risks to operational activities (short-term risks), business tactics (medium-
term risks) and overall company strategic decision making (long-term risks). Senior
management and the board therefore need to have a full understanding of the
different risk severity levels, and the timescales over which they may affect the
business, in order to manage the firm effectively.
4.3 Compliance
In its simplest description, compliance means conforming to rules, laws, policies

and standards, and regulatory compliance can be described as being the goal that
firms need to achieve in order to be able to do business within the applicable laws,
regulations and rules.
Several elements make up the fundamental components of compliance.

They include:
creating policies and procedures to follow the rules

developing internal controls
5. A Structured Approach to ERM and the Requirements of ISO31000, airmic/Alarm/IRM, 2010

https://www.theirm.org/media/886062/ISO3100_doc.pdf.
25
having a management framework that makes responsibility and

accountability clear
testing and auditing
training and development
robust record-keeping standards.
Internationally, there has been much work on addressing the need for stronger
regulation and compliance standards. For example, in the US, the Sarbanes–
Oxley Act of 2002 set out strict requirements on the personal responsibility and
accountability of senior management for compliance with regulatory requirements.
4.4 Why do we need GRC in our firms?
Considered individually, governance, risk and compliance are essential tools for
the proper functioning of a business, but we cannot view each one in isolation.
GRC is all about corporate integrity, and establishing and maintaining robust
and high-quality management of the business. Properly exercised, GRC enables
a firm to manage itself, its activities, its employees and agents, and its resources
more effectively.
The benefits are more than just regulatory compliance and avoidance of the
risk of sanctions. Quality corporate governance provides the business structures
and frameworks needed for the board to manage the firm. Good risk analysis
and management enables decisions to be made on an informed basis. Effective
compliance management means that firms are engaged with the legal, regulatory
and standards requirements or obligations that are enforced on the industry.
So, GRC regulates the functions and activities of the firm but those responsible for
ensuring GRC do not actually perform those functions and activities. And the result
of all this is that GRC has become a vital component within the overall complex
system of the company.
The Open Compliance and Ethics Group (OCEG)6 – a non-profit think-tank – defines
GRC as a system of people, processes and technology that enables a company to:
understand and prioritise stakeholder expectations

set business objectives that are in agreement with values and risks
achieve objectives while optimising its risk profile, and protecting value
operate within legal, contractual, internal, social and ethical boundaries
provide reliable, relevant and timely information to appropriate stakeholders
enable the measurement of the performance and effectiveness of
the system.
This unit also asks why we need regulation, and what commonly accepted
objectives and motivations underpin regulation. It looks at why we need to
consider previous mistakes, the changing markets in which financial services firms
operate and, importantly, it considers and explains the benefits of a compliance
culture within a financial services firm. It also considers the importance of the role
of the board of a firm in developing and promoting the culture and ethics within
the business that are so critical in the current environment.
6. http://www.oceg.org/about/.
26
4.5 The cultural components of effective GRC
As mentioned in section 4.4 above, the OCEG has published its definition of
GRC. The OCEG argues that GRC adds value by helping us to understand the
real-life problems that can inhibit a company’s achievement of optimised value.
It discusses risk management and compliance within the context of governance,
and by ‘GRC’ it means all the processes within a firm that have to function together
effectively to ensure maximised sustainable, agile, long-term, compliant, and
responsible performance.
These processes include effective board operations, performance management,

and other aspects of organisational governance together with risk management,
compliance and internal audit – with the shared objective of achieving the
maximum sustainable and ethical value for all the firm’s stakeholders – and not
just shareholders.
In 2011, an evaluation of governance, risk and compliance succinctly summarised

what constitutes effective GRC.7 Its author, Hernan Huwyler, argued that a robust
GRC culture influences management and employees’ decisions, sometimes even at
an unconscious level. All staff should ensure that the ‘whatever it takes’ attitude to
get results does not affect stakeholders´ interests. Employees should understand
that GRC rules apply to everyone in the company as they pursue their business
goals. In other words, all levels of a company need to understand the boundaries
within which they can operate. To develop this further, we need to look at cultural
considerations in the three elements of GRC: risk culture, compliance culture and
governance culture.
4.5.1 Risk culture
A firm’s risk culture can be determined by the system of values and behaviours,
collectively called the culture, that affect the company’s risk decisions. In practical
terms, employees need to understand the company risk exposures. The risk culture
is created by risk-management training, risk assessment and guidance about
decision making. It involves risk management and appetite policies as well as risk
statements and procedures. A strong risk culture is part of a good business-wide
risk-management practice. For instance, banks with a healthy risk culture were able
to deal with the 2008 credit crisis better than those without such a culture.
A strong risk culture is also a strong foundation for good standards of conduct.
Conduct is more than just the way in which the individual employees of a company
behave towards consumers: there are also market conduct dimensions and
company conduct considerations. Conduct is increasingly becoming a regulatory
‘hot topic’ and in some jurisdictions regulators require forms to provide evidence of
how they are achieving the regulatory requirements of high standards of conduct
and the management of conduct risks.
4.5.2 Compliance culture
Compliance culture can be defined as the overall environment within which

compliance issues are handled. In a strong compliance culture, employees follow
the right processes and perform the right controls even without oversight. In
7. http://mydailyexecutive.blogspot.co.uk/2011/08/defining-grc-culture.html.
27
practical terms, its ‘compliance culture’ determines how effective a company is

in meeting compliance regulations and deterring and detecting compliance
problems. It covers how proactive the employees are in averting compliance issues,
interpreting the meaning and the intention of rules, and directing resources to
interpreting and understanding their meaning and impacts. Compliance culture
involves strategic planning, effective control points, careful audit traceability and
documentation, proper disclosure, and company procedures that are familiar
to employees.
4.5.3 Governance culture
An effective governance culture can be defined as the sum of the attitudes and
actions that lead to the building of a strong and competitive company that
enhances shareholder value. Governance culture determines the strategic direction
of a company, and how this strategy is embedded into business practices and
leadership capabilities at every level. A healthy governance culture would create
a reputational advantage among the investors. The governance culture reflects
beliefs about how business should be done and the ethical principles of the
management and employees in general.
Huwyler concludes that building a strong GRC culture is a consistent and long
process that is based on effective communication about ethics and practices and
on rewarding proper actions that comply with the GRC strategy. It is not enough
to have good intentions. It is not enough to have an Internal Audit department.
It requires leadership, accountability and appropriate infrastructure to create
an environment that is conducive to ethical behaviour and that it is part of the
company’s business model.
5. Preparing for regulatory change

A mature and thorough approach to GRC helps a company to be aware of all
the rules, regulations, legislation and principles that will affect it. This is achieved
through awareness of not only the current position, but also potential or
planned changes and understanding the areas subject to heightened scrutiny
by the regulators.
The questions that firms need to ask themselves about managing the risks
associated with regulatory reforms include the following.
Is the governance structure supported by an adequate risk and

control framework?
Do we have the correct competencies in our staff to enable us to analyse
and formulate operational solutions to the challenges posed by the new
or amended regulatory landscape?
Do we have an effective process for interpreting new or revised regulation?
How closely is the Compliance function integrated into other
assurance functions?
How robust and comprehensive is the information we have, so that
we can make sound decisions, report accurately and then produce
compliant solutions?
28
Do we have the best controls in place to address the risks of fraud, abuse, or
even excessive and meaningless over-reporting of information?
Do we have a monitoring process in place to evaluate the efficacy of all the
controls, and to ensure that the regulators’ recommendations are followed?
5.1 Where to begin with a GRC regulatory strategy
If a firm or organisation is uncertain over where to begin its journey towards

achieving a GRC strategy that can simplify processes, reduce costs and deal with
the compliance burden imposed by increased regulation and tighter scrutiny, it
could usefully incorporate the following steps.
Ensure the board and senior management commit to, and endorse,
the strategy.
Consider all key stakeholders, and ensure that all their requirements
are accommodated.
Establish the guiding principles and be sure that they are aligned with
the firm’s strategic objectives.
Make sure that risk-assessment processes are clear and well defined.
Identify any opportunities that the GRC strategy may present and take
advantage of them for the benefit of consumers and the firm overall.
Make sure that people, processes, outcomes and management
information are used cohesively and collectively in the journey to
achieving effective GRC.
5.1.1 The contribution of GRC failures to regulatory compliance failure
In 2012, Barclays Bank plc was fined heavily by both UK and US regulators over its
manipulation of the London Interbank Offered Rate (LIBOR). Commentators at the
time pointed to the fact that the bank’s internal controls had failed to identify and
prevent the activity in the first place.
The following is an extract from an article published by Reuters in 2012.8
The lack of specific internal controls, particularly in reviewing email communications,

was one of the failures cited by a Commodity Futures Trading Commission regulatory
order implementing its share of the Barclays settlement. The CFTC said Barclays lacked
daily supervision and periodic reviews that could have detected the interest rate
manipulation. The order also accused the bank’s senior management of encouraging
executives to submit lower rates than the bank was actually paying.
Appropriate daily supervision of the desk by the supervisors, as well as periodic review
of the communications, should have discovered the conduct. However, Barclays
lacked specific internal controls and procedures that would have enabled Barclays’
management or compliance to discover this conduct.
Barclays gave its consent to the order, without specifically admitting or denying
its findings. Referring to activities to manipulate the EURIBOR rate, an order
published by the CFTC said:
8. http://blogs.reuters.com/financial-regulatory-forum/2012/07/03/barclays-governance-
compliance-weaknesses-exposed-in-u-s-regulators-findings/.
29
Multiple traders engaged in this conduct, and no attempt was made by any of the
traders to conceal the requests from supervisors at Barclays during the more than
four-year period in which the activity occurred … and on occasion, the traders
discussed their requests with trading desk managers.
It said that a Barclays supervisor passed on a trader’s concerns to a senior

Compliance Officer and a member of Barclays senior management that the bank
was being dishonest in submissions that reported the LIBOR rates. The Barclays
senior Compliance Officer then told Britain’s Financial Services Authority he was
concerned that LIBOR reports by banks were distorted.
The senior Compliance Officer reported in an internal email, ‘directed to several

levels of Barclays’ senior management’, that he had informed the FSA of his
concerns about potential distortion of LIBOR. This officer did not, however, tell the
FSA that Barclays was altering its own LIBOR submissions. The CFTC stated that:
‘The same Barclays senior compliance officer did not follow up internally with the
Libor submitters or their supervisor to confirm that Barclays was making its Libor
submissions properly’, and the bank’s practices did not change.
Furthermore, the CFTC order alluded to the possibility that the Bank of England had
put pressure on Barclay’s to manipulate its LIBOR reports.
Barclays increasingly felt tremendous external pressures concerning how it was being
perceived in the market and media, particularly due to its higher Libor submissions
relative to the other panel banks. Barclays continued to believe that the other panel
banks’ Libor submissions were unrealistically low. Even though it maintained that its
liquidity position was in fact strong, Barclays was increasingly worried about these
market and media perceptions. At this time, the Bank of England had a conversation
with a senior individual in Barclays, in which it raised questions about Barclays’ liquidity
position and its relatively high Libor submissions.
In late October 2008, reacting to this pressure and the discussion with the Bank of
England, Barclays believed it needed to lower its Libor submissions even further.
As a result, bank senior managers ordered that the LIBOR submissions be

lowered further.
5.1.2 Establishing the importance of ethics and integrity
By definition, an ethical framework goes beyond a compliance framework that is

based only on a desire to comply with minimum legal and regulatory obligations.
Professor David Jackman, chair and founder of The Ethical Space and Into The
Clearing, describes ethics as ‘being a steward, being responsible to broader society,
and behaving in a “proper” way’. He explains that ’In our industry we need to be
more subtle in working out what is appropriate, what is practical and what is
realistic: factors which make it very difficult to apply “simple” ethical standards’.
While regulators do not have sufficient powers to go beyond enforcement of

minimum legal and regulatory standards, they are clearly impressed by businesses
that do.
30
How, then, can a compliance professional promote the adoption of an ethical

approach to the conduct of business by a firm? It can be difficult to attempt to
quantify the value of the enhancements that can result, particularly in a way that
will convince a management interested only in the ‘bottom line’. There are clear
benefits for the reputation of an organisation, but without any clear link to financial
benefit, they may be inadequate motivators.
A good example of this approach comes from the UK.
Both the UK regulators place great emphasis on their high-level rules contained in
the Principles for Businesses Handbook (FCA) and the Fundamental Rules (PRA),
both when initially authorising firms and subsequently when supervising them.
These set out the fundamental principles on which firms should be run, and act as
the foundation on which other rules and principles are based. These are arguably
the most important components of the Handbook and Fundamental Rules, and all
the subsequent regulatory rules relate back to these core principles. The aim of the
principles is to focus firms on ‘doing the right thing’ in the course of conducting
business – in other words, behaving ethically. Breaching a core principle makes
a firm liable to disciplinary sanctions. Enforcement notices issued refer to those
Principles for Business or Fundamental Rules that have been breached, as well as
any specific rule breaches that have occurred.
Even after the original publication of the Principles for Business by the FSA, many
firms continued to focus simply on attaining compliance with the regulations.
Because of the difficulty of positively motivating firms to ‘do the right thing’, in 2004
the FSA introduced its Treating Customers Fairly (TCF) initiative and it remains an
important area of focus for the FCA because the focus of its remit is on the conduct
of businesses. As the name suggests, TCF was additional principles-based guidance
to encourage firms to behave ethically in the context of customer treatment. This
initiative aimed to bridge the gap between the FSA’s Rules and its principles, and
they expected senior management to incorporate TCF into the company culture and
strategy. The overarching aim of TCF was to encourage firms to look beyond mere
compliance with the rules, but rather to comply with the spirit underlying them.
Today, the FCA retains this focus on high standards of ethics and integrity and
emphasises the importance of ethics and integrity in business. In a speech to the
Worshipful Company of International Bankers in March 2014, Martin Wheatley, CEO
of the FCA, summarised the link between regulations and ethical standards:9
Now, clearly regulators and firms still require rules to function effectively. But experience
tells us red tape is more easily hurdled than principles. So as we move forward, firms will
begin to see themselves held up against stricter ethical standards.
5.1.3 Are there human barriers to overcome?
In order to create an effective compliance culture, firms need to be able to

recognise the common human barriers. Examples include:
dominant individuals
a ‘blame culture’ in which employees are afraid to escalate issues
steep authority gradients or hierarchies
9. http://www.fca.org.uk/news/speeches/ethics-and-economics.
31
the misplaced belief that compliance is solely the role of the

Compliance department
poor or restricted communication between staff and management
a tendency to place reliance upon internal safety nets by
delegating upwards
management scepticism about the value of compliance and encouraging
employees to seek authorisations and sign-offs from the Compliance staff
the attitude among junior employees, in particular, that their concerns are
of no consequence, and
a remuneration and reward system based on meeting targets and sales
volumes that do not take account of compliance requirements.
The board and senior management must be aware that the interrelationships
between people are as important as the quality of the systems of control that are
put in place to monitor compliance. Therefore the responsibility for breaking down
the human barriers in the firm rests with the senior management and the board.
5.2 Linking ethics and culture
Ethical behaviour can be defined as acting in accordance with the accepted

principles of right and wrong.
These values are set, for example, by society, your employer, professional bodies
and colleagues.
Integrity, on the other hand, differs slightly because it is personal – relating to

how an individual acts. For example: ‘A person of integrity has the courage to
stand up for what he or she thinks is right and to speak out about what he or she
thinks is wrong’. Put more simply, integrity is where you know right from wrong,
you take appropriate action to ensure the right thing is done and you are willing
to explain your actions or even your inactions if challenged that the right thing
has not occurred.
Almost all regulatory frameworks are founded on the principles of ethical

behaviours and actions. In reality, for a compliance culture to be truly successful,
the values of ethics and integrity must be established before any compliance
framework is set, and this is the responsibility of the board. If the values of a
company and those who work within it are not defined and monitored, the
framework is likely to fail.
In managing risk, culture is possibly more important than strict adherence to

the regulations alone. At the very least, an ethical culture should enable the
achievement of regulatory requirements, many of which would otherwise be very
difficult to fulfil.
32
5.3 The requirement to demonstrate effective GRC
5.3.1 The role of the board
A truly effective board of directors must take full responsibility and accountability
for the firm it manages. In its definition of corporate governance, the Cadbury
Report of 1992 (The Financial Aspects of Corporate Governance Report)10 gave its
understanding of the role of the board:
Corporate Governance is the system by which companies are directed and controlled.
Boards of Directors are responsible for the governance of their companies.
This is a useful and simple explanation, because it clearly demonstrates that

corporate governance is a decision-making system, and it also categorically places
the burden of responsibility on the firm’s board of directors. The Cadbury Report
was the first version of the UK Corporate Governance Code which was issued by the
Financial Reporting Council (FRC).
The current version of the UK Corporate Governance Code, issued in September

2014, defines standards of good practice in relation to board leadership and
effectiveness, accountability, relations with shareholders and remuneration. It
includes requirements on the following core principles:
leadership
effectiveness
accountability
remuneration policies that are designed to promote the long-term success
of the company
strengthening relationships with shareholders by enhancing the quality
of information investors receive on the long-term health and strategy of
the company.
The Code emphasises encouraging changes in the behaviour of boards rather

than increasing regulation and legislation. The FRC stresses that it is crucial that
companies engage with the spirit of the Code, commenting that over the last few
years boards have adopted a ‘box-ticking‘ approach and have failed to adhere
to the overarching principles. The FRC is trying to change this in the hope that
firms will use the Code to create greater transparency, better accountability and
improved communication with shareholders.
In the Netherlands, the Dutch Corporate Governance Code contains principles

that reflect general views on good corporate governance, set out in best-practice
provisions. These provisions have created a set of standards governing the conduct
of management board members, supervisory board members and shareholders.
They reflect national and international best practices, and firms are obliged to
state each year in annual reports11 how they have applied the principles and best-
practice provisions of the Code in the past year.
10. http://www.ecgi.org/codes/documents/cadbury.pdf.
11. http://commissiecorporategovernance.nl/monitoring-reports
33
The main principle of compliance with the Code is clear:
The management board and the supervisory board are responsible for the corporate
governance structure of the company and for compliance with this code. They are
accountable for this to the general meeting and should provide sound reasons for any
non-application of the provisions.
Shareholders take careful note and make a thorough assessment of the reasons given
by the company for any non-application of the best practice provisions of this code.
They should avoid adopting a ‘box-ticking approach’ when assessing the corporate
governance structure of the company and should be prepared to engage in a dialogue
if they do not accept the company’s explanation. There should be a basic recognition
that corporate governance must be tailored to the company-specific situation and that
non-application of individual provisions by a company may be justified.12
5.3.2 The roles of the Risk and Compliance functions
Ultimately, the board and senior management will dictate the risk-control
environment and the prevailing cultural attitude towards it. It often falls to the
Compliance department to encourage and equip the board to perform this
important function correctly. It is therefore necessary for compliance professionals
to be able to promote the benefits of compliance at all levels within a business.
As with the creation of the compliance environment itself, there are two distinct
elements to every effective compliance framework. The first is the construction
of the framework itself through procedures, monitoring processes and other
operational elements. The second is in the development of a culture which
encourages employees to ‘buy in’ to making the framework operate. It is difficult to
overstate the importance of creating and promoting a healthy compliance culture,
not only by persuading employees to discharge their duties in the right way, but
also by influencing management to adopt an encouraging and supportive attitude
towards the benefits that compliance can produce. ‘Compliance by all, for the
benefit of all’ should be the message promoted by senior management.
5.3.3 The part everyone must play
All employees must be given regular updates to ensure that they remain aware
of their individual GRC responsibilities. These responsibilities are relevant to their
particular role, function or position in the company. Today, proving that the firm is
compliant is as much about proving that employees and responsible persons have
the requisite knowledge and training to perform their work in a compliant way as it
is about ensuring that everyone is behaving to the required standards.
There are certain requirements, such as for anti money laundering and dealing
with bribery and corruption issues, and other specific business functions, for which
staff must undertake periodic refresher training, but firms must also be able to
demonstrate that there is comprehensive understanding of responsibilities and
expected standards of behaviour.
12. http://commissiecorporategovernance.nl/download/?id=606.
34
In the UK, the FSA released a discussion paper in October 2002 (DP18)13 which
examined how businesses can create an ethical framework. Despite the time that
has passed since publication, its content and sentiment remain highly relevant
today for compliance professionals seeking to influence the culture of their firm,
and its key messages can be seen to apply internationally.
5.3.4 Regulatory assurance
If assurance is defined as preparation for an event that is certain to happen,

regulatory assurance is the behaviours, culture, ethics, systems and controls,
and processes that firms need to have in place to ensure that they comply with
regulations, guidance, rules and codes and expected standards.
Effective GRC within a firm helps it to demonstrate regulatory assurance, with the
development of compliance culture and ethical behaviour expectations and, in
addition, regulatory assurance leads to benefits other than the avoidance of the risk
of regulatory breach. These benefits extend to the consumer, the regulator, and the
firm. These will be discussed further in section 6.1 below.
6. Promoting a successful GRC framework

Creating an environment in which employees understand and value the
importance that is attached to the ethical conduct of business practice is an
essential prerequisite for the creation of an effective compliance framework. This
is not because of fear of the criminal or regulatory repercussions that may occur
(negative motivational reasons) but because of an appreciation of the commercial
benefits that it can have for themselves, for their clients and for their employer
(positive motivational reasons).
6.1 The benefits of effective GRC
The ‘culture’ of a firm can be defined as being the sum of its values, attitudes
and beliefs. As well as this, it may include the way in which those within the firm
perceive what it stands for and the way they understand the environment in which
it operates. Consider the following question.
Example: The dangers of being ‘just compliant’
Q. If the culture of a firm is geared towards being ‘just compliant’ (doing the
minimum to comply with the rules) does it protect itself against sanction?
A. No. Being ‘just compliant’ will not necessarily prevent a firm from behaving
in a way contrary to the principles of regulation, which may result in
putting investors at risk or diminishing its market integrity or reputation,
or the stability of the financial system. Even the most rule-compliant
procedures and controls will not remove the possibility of regulator
sanction. Mechanical ‘tick box’ compliance will do little to prevent
broader issues.
13. http://www.fsa.gov.uk/library/policy/dp/2002/discussion_18.shtml.
35
Although regulators around the world have constructed a framework of principles,

rules and guidance, it is unclear whether the ethos on which they are built is fully
understood or applied consistently by those in the financial services industry. The
spirit on which regulatory frameworks are based is primarily founded on ethical
values and the integrity of those who apply them. If the culture within a firm is
indifferent to concerns of ethics or integrity, the broad objectives of regulation will
not be addressed.
While the example above highlights one benefit of encouraging the correct culture
and attitude towards compliance, many others exist. Below are some further
benefits of robust governance, risk management and compliance and a strong
ethical culture, but this list is by no means exhaustive.
All risks will be managed better, especially compliance risk, regulatory risk
and, as a result, reputational risk. With the right culture and attitude in place,
breaches are less likely to occur.
Decision making, based on clear understanding of the facts and associated
risks, will be improved.
Higher standards of customer conduct, corporate conduct and market
conduct will be easier to achieve and to demonstrate, because the reasons
for it are more readily accepted.
Investors, customers and other stakeholders will have increased trust in the
firm, which may in turn lead to increased business.
There will be a better relationship with regulators. If something should go
wrong, a sound base exists from which to work together constructively to
resolve it. If a firm has built up a good reputation with its supervisor,
this can often pay regulatory dividends by resulting in a less intrusive
regulatory approach.
Staff motivation is improved where employees care that the companies for
which they work are ethical and well run. They can be a very effective way
of engaging employees, who will see value in what they do. This in turn will
lead to lower staff turnover.
Competitive advantage: well-run, compliant firms can gain real competitive
advantage over those that are in the business for the wrong reasons. The
efficiencies created by doing things ‘right first time’ can pay real commercial
dividends later.
Unfortunately, many of the risks and rewards above are fairly intangible. For
this reason, it is vital that compliance officers identify opportunities and look at
real-life examples to help others to understand the benefits of good compliance.
(This applies to boards and senior management in particular.) These may entail
positive examples – for example where the regulator decides not to take further
action following the notification of a breach, because of the good relationship and
high degree of confidence that the firm will put things right – or negative ones,
such as highlighting where other firms have fallen foul of the regulations and the
consequences they faced.
6.1.1 Benefits for the consumer
The clearest benefit is one of consumer protection – a core objective of financial

services regulation. So, consumers demand a degree of comfort that can only be
36
provided by regulation, and if that demand is satisfied, a welfare and reputational

gain is secured.
Consumers demand regulation for many reasons, including:
the need to have a reasonable degree of assurance when transacting with

financial firms
the fact that they are making a substantial financial commitment when
entering into a contract with a company
to help to overcome the inequalities in information and understanding
between firms and clients.
Increasingly, regulators are expecting these conduct expectations to be built into

product developments and sales strategies from the outset, and also for firms to
involve consumers in design processes. This benefits consumers by making them
more aware of the risks of a given product, and benefits the firm by enabling
problems to be anticipated rather than waiting for them to emerge in complaints
volumes and trends.
Overall, it is clear that effective GRC in firms leads to enhanced benefits for
the consumer.
6.1.2 Benefits for the regulator
For the regulator, there are many benefits to be realised when firms have clear
sight of regulatory assurance. These include:
assistance in meeting the regulatory statutory or operational objectives

(consumer protection, market integrity, confidence and stability in
the markets)
building relationships of trust between firms and the regulator, so that
confidence in the culture, ethics and integrity of the industry can be
developed and promoted over time
enabling firms to become trusted sources of guidance and support – for
example, when a new rule or principle is being considered, the regulator
can consult on it with the industry, which will be trusted to offer a reasoned
and customer-focused assessment of its practicality.
6.1.3 Benefits for the company
Firms in the market can also benefit from developing and demonstrating regulatory
assurance derived from high standards of culture, ethics and integrity, including:
better management of regulatory and compliance risk, reducing the

likelihood of regulatory breach, and the direct and indirect costs and
reputational damage that come with such situations
better decision making based on clear understanding of the facts and risks
associated with the firms’ activities, markets and consumers
competitive advantage – increased levels of trust from consumers and other
stakeholders, which can lead to more efficient exploitation of business
opportunities by making sure new products, services and strategies are
‘right first time’
37
as for regulators (see section 6.1.2 above), good working relationships lead
to trust and collaboration, both in terms of future regulatory developments
and in dealing with any issues that may arise
attracting motivated employees who genuinely care about the firm they
work for, and the culture and ethics that it represents. This leads to lower
staff turnover, reducing costs, and creating benefits ultimately measured in
terms of customer satisfaction.
7. Where next for GRC?

The situations and subjects discussed in this unit will be explored further
throughout this Diploma course. We have seen that GRC is a complex subject, with
multiple interrelationships that need to work together to achieve the maximum
benefits for a firm or business.
GRC’s importance to the board has evolved significantly over the past ten years so
that senior management now pays far more attention to these aspects of business,
as regulators are demanding increasing accountability and transparency for the
firm’s processes and procedures. The liability of individuals for their actions or
inactions and also heightened emphasis on the ethics, culture and integrity they
demonstrate is now under constant scrutiny.
This scrutiny of ethics and integrity has never been greater, and raises an
interesting debate. Even though many of the recent financial scandals have been
as a result of unlawful actions and behaviours, some have been about activities
that are within the law. Yet, the ethics of those concerned have been called
into question.
Boards and senior managers must ask the question ‘what is doing the right
thing?’ Opinions on what this is in any given situation will be divided, and the
firm, employees, customers and regulators will probably not share the same
answer to this. Trust has therefore been compromised by the different views of
these stakeholders.
Leaders of firms therefore need to create a shared sense of doing the right
thing, to develop a vision of the core purpose, and start to rebuild trust in the
firm – and even in the financial services industry. To do this, the board and senior
management need to agree on a common set of core values, cultural and ethical
standards, and build governance within the firm to demonstrate assurance.
More than this, these leaders must lead with authenticity, which will help in
rebuilding trust. By following the right path to achieve the core purpose, that core
purpose itself will drive the values, culture, behaviours, ethics and actions the firm
needs in order to rebuild trust.
One thing is certain. It is a changing landscape. Today’s acceptable practices and

behaviours may lead to criticism in the future if viewed retrospectively, so the
acceptability of today’s practices needs a closer examination through a GRC and
ethics lens.
38
Learning outcomes
By the end of this unit you should be able to:
outline the historical issues, including some past scandals, that have led to
today’s emphasis on regulation
explain the events that led up to the global financial crisis of 2007–8, the
problems with the regulatory system that existed at that time, and what was
revealed by the Turner Review
outline the six key objectives of regulation in the financial services industry and
see how these are approached, using the example of the UK, by regulators in
pursuing their operational objectives and using the powers conferred on them
by legislation
explain what effective GRC is, why it is important, who is responsible for
inculcating it throughout a firm and, in broad terms, how this might be done
appreciate that the regulatory landscape is going to continue to change
and know how GRC can help in preparing the firm and its employees for
future events
outline the links between the various aspects of the GRC framework and explain
how embedding these within the firm will benefit the consumer, the regulator
and, in consequence, the firm itself.
39

I1273818 - International Diploma in GRC - Unit 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

I1273818 - International Diploma in GRC - Unit 1

Uploaded by

Copyright:

Available Formats

SEE GREEN SECTION

The purpose of this unit is to:

 explain why we need regulation

In 2015, foreign exchange rate manipulation became the focus of regulatory

1.2 The global financial crisis

1.2.1 The lead-up to the financial crisis of 2007/2008

Example: Failure to force banks to increase capital reserves

It should be pointed out that not everyone shared these concerns.

Example: US Federal Reserve ignored warnings

 Credit rating agencies provided cost-effective and reliable data and

1.2.2 So what went wrong?

 disregard of financial prudence

 over-reliance on value-at-risk and other mathematical models

1.2.3 Could anything have been done to avert the crisis?

Matters relating to the effectiveness of prudential supervision in the UK before

It would be reasonable to assume that the authorities failed to recognise the

Such an approach is reflected in the response given by the chief executive of a UK

1.2.4 The unfolding of the crisis

As confidence in the financial system disappeared and it became increasingly

1.2.5 Why existing regulation failed

As with most aspects of business, it is therefore a case of trying to strike a sensible,

Example: Regulators’ failure to act

The Northern Rock crisis revealed a number of shortcomings with this

1.3 The aftermath of the financial crisis

As in Japan a decade or so earlier, one of the main challenges facing policymakers

It is probably fair to conclude that investor confidence remains variable, although

2. Do these failings represent regulatory failure?

It is natural for regulation to be reactive to events as it is impossible to foresee all

3. The objectives of regulation

3.1 The central regulatory objectives

3.1.1 Consumer protection

Consumers of financial services need to know that they will be protected by

Unfortunately history is full of examples of failures in this objective, sometimes

3.1.2 Facilitating fair, efficient and transparent markets

Efficiency in this context is about the transferring of all relevant information in

Transparency relates to how much information is available to consumers about

3.1.3 Reducing systemic risk

3.1.4 Reducing financial crime

3.1.5 Enhancing consumer confidence

This is a combination of the consumer protection objective and of the objective

Increasing consumer confidence can therefore be seen as being an objective

3.1.6 Promoting and protecting the reputation of the market

The financial services market is often a key component of a country’s economy,

3.2 IOSCO’s core objectives

In 2003,3 the International Organisation of Securities Commissioners (IOSCO)

1. the protection of investors

Although IOSCO specifically concerns itself with securities regulation, the

 Principles relating to regulators

3.3 Examples of different regulators’ objectives

3.3.1 UK regulatory objectives

 maintain confidence in the UK financial system

Both as a reaction to the impact of the financial crisis, and in anticipation of

The UK government’s reform of the regulatory structure has now been

The FCA is responsible for ‘conduct of business’ regulation; the day-to-day

 promoting the safety and soundness of the firms it supervises

There are three main characteristics of the PRA‘s approach to supervision:

 a judgement-based approach in determining whether financial firms are

The FCA is governed by a board appointed by the UK’s HM Treasury, and is

 to secure an appropriate degree of protection for consumers

The FCA’s remit is founded on the principles of good regulation:

 efficiency and economy – using money in the most efficient way

3.3.2 US regulatory objectives

In the US there is a general distinction between the regulators that focus on

 the Office of the Comptroller of the Currency (OCC)

explain why we need regulation

Credit rating agencies provided cost-effective and reliable data and

disregard of financial prudence

over-reliance on value-at-risk and other mathematical models

Principles relating to regulators

maintain confidence in the UK financial system

promoting the safety and soundness of the firms it supervises

a judgement-based approach in determining whether financial firms are

to secure an appropriate degree of protection for consumers

efficiency and economy – using money in the most efficient way

the Office of the Comptroller of the Currency (OCC)

Securities and Exchange Commission (SEC)

Federal Housing Finance Agency (FHFA)

Financial Stability Oversight Council (FSOC)

risk management is subject to prudential regulation by the OCC at the

regulate certain types of financial institutions

to foster and maintain fairness, transparency and efficiency in the

creating policies and procedures to follow the rules

having a management framework that makes responsibility and

understand and prioritise stakeholder expectations

Is the governance structure supported by an adequate risk and

the misplaced belief that compliance is solely the role of the