I1273818 - International Diploma in GRC - Unit 5

SEE GREEN SECTION
PAGE DOC
Un i t 5
What is the Role of the

Compliance Func tion?
Unit 5 What is the Role of the
Compliance Function?
Learning Objectives
The purpose of this unit is to:
examine the role of the Compliance function as a trainer, an educator and an

adviser and in providing assurance to the business
discuss the key internal and external relationships, and why they are so critical to
the regulated business
explain what is meant by consumer conduct and market conduct
discuss prudential compliance and why it is so critical in a post financial
crisis world
review the role of the Compliance Officer today, and the skills a compliance
professional needs in order to be successful in the compliance role.
Introduction
The role of the Compliance function (or the Compliance department, or compliance
team: these terms are all also used) is very wide, because it has to mirror all the different
business activities in which the firm is engaged. Its more traditional role as a technical
function has evolved so that today its responsibilities include providing advice, expertise
and support to all business areas, alongside monitoring and reporting, and being the
point of contact with the regulators. In this unit we will look at the various aspects of the
role in some detail.
1. The educator
Although education and training are provided by the training or learning and
development functions, technical input into these programmes is essential,
because the Compliance function is a subject-matter expert (SME).
There is more to this than just technical expertise such as knowledge of the
regulations and legislation that apply to financial services companies.
1.1 The Compliance function’s role in training
One of the roles of the Compliance function is to provide input into training, but
we have to ask ourselves what this really means. Training takes many different
forms, and there are many different terminologies used, including:
coaching
computer-based training
workshops
135
Unit 5 What is the role of the compliance function?
classroom training
mandatory or statutory training
ad hoc updates.
Also, we need to identify the audience for the training. It is needed not only by
new recruits to a firm, but also by all employees to keep their skills and knowledge
up to date, especially as and when there are changes that affect the firm. These
changes could be in regulation, guidance, markets, products and services – the key
is to remember that they need to be the subject of training updates because of
their potential impact on the firm’s compliance. Employees in different roles need
different levels and depth of detail in their training.
Sometimes an identified business risk is managed by providing the appropriate

compliance training. A compliance training course could be used to promote
awareness of a new regulation or policy or to reinforce a procedure or process. The
Compliance function should be involved in the development and arrangement of
compliance training.
Compliance training can also assist senior management in promoting and

developing a compliance culture. An effective compliance training programme will
provide the business with the opportunity to learn, understand and explore the
principles and objectives of the underlying regulation. Compliance training can
also provide a firm with the opportunity to interact with the Compliance function
staff in an open manner. This can be particularly effective during coffee breaks or
over lunch, where informal discussions begin or examples often arise in the course
of conversation.
It is important to note that in order for compliance training to be effective it

must relate to business practices, and examples should be used to reinforce the
regulatory requirements being discussed.
It is also important that managers attend or at the very least show support for
the training sessions, as they will be responsible for ensuring compliance with the
policies and procedures. This also reinforces the message of ‘tone from the top’.
1.2 The stages of the training programme
The first stage of training comes at the start of a career in the firm. This induction
training is the opportunity for the Compliance function to explain the importance
of compliance with regulation, but without going into any great technical detail. It
presents the opportunity to explain the firm’s approach to compliance, the culture
and ethics it requires of all employees, and the basic behaviours expected while
working for the firm.
Later training is likely to be more technical and focused on the needs of the
specific role. If this role is in a risk management or compliance capacity, then the
technical content will be substantial. In other roles that are subject to regulation
(for example, selling regulated products, complaint handling, claims management)
then the training will have to cover the regulatory requirements for the area
concerned and link these to the work procedures to be followed.
136
Mandatory training is completed on a regular cycle, and covers the subjects about
which all employees have to be aware, in their roles. Examples of mandatory
training include sessions on bribery and corruption, anti money laundering,
sanctions compliance – those subjects where the firm has a responsibility to ensure
that all employees are aware of their individual responsibilities. The challenge
facing the Compliance function in providing the materials for this training is
to keep it interesting and current. If the same material is used year after year,
completing the training will soon become a ‘tick box’ exercise.
For example, in Singapore, the Monetary Authority of Singapore (MAS) requires

firms to ensure that staff are equipped with knowledge of new products as well
as changes in legislation and regulations, and that they are adequately trained
to enhance their efficiency and effectiveness. Firms should identify skill gaps and
assess training needs regularly. Training records should be maintained, training
should be regular and appropriately structured to enable staff to understand and
manage the complexities of the functional areas concerned.63
In meeting regulatory training requirements, there are traditionally two common

approaches within financial services businesses. The first is the ‘tick the box’
attitude referred to within both this and previous units. This approach is highly
prevalent and is characterised by a desire simply to be able to show that training
has been provided. The second attitude is characterised by a desire to be able to
demonstrate tangible improvements as a result of training, an aim which is more
closely linked to an ‘Outcomes-focused’ approach.
Compliance training is generally a large investment of both time and money.

Despite this, few businesses treat it with the required gravitas. This has increasingly
been the case in recent years as tight finances caused by the economic downturn
have placed a strain on training budgets, which are frequently seen as a luxury
rather than a necessity.
Primarily, the role of the Compliance function in training is to ensure that

sufficient is provided for an organisation to satisfactorily discharge its legal and
regulatory obligations. Many Compliance functions do also contribute to the
formulation of training strategies, and wherever possible they should also assist
in training provision.
1.2.1 Considering organisational training needs
The initial stage in developing a compliance training strategy is to consider the

training needs of the organisation. The strategy should be flexible enough to take
account of the varying needs of individuals. In all cases it is necessary to consider
the knowledge and skills that are key to the successful fulfilment of each particular
function. These are often referred to as ‘core competences’ and should be identified
for every role.
A fundamental core competence for all employees is an awareness of the

overriding regulatory requirements and how they may achieve compliance
with these within the context of their own roles. A compliance professional
will appreciate why a particular procedure is important but, unless told, other
63. http://www.mas.gov.sg/~/media/MAS/Regulations%20and%20Financial%20Stability/
Regulatory%20and%20Supervisory%20Framework/Risk%20Management/RMG%20
Internal%20Control_1%20Apr%202013.pdf – Internal Controls.
137
employees may not. This does not mean every employee must be able to recite
all the regulatory rules or principles with which an organisation has to comply.
Rather, they should have an understanding of the broad principles. For example,
they should appreciate why it is important for complaints to be taken seriously.
Overview training can often be included at an introductory level within induction
programmes, giving new employees a clear understanding of the importance of
the regulatory environment in which the firm operates.
1.2.2 Setting training objectives
The second stage is to agree the training objectives. These will be heavily
influenced by the regulatory risk appetite of the business. Certain firms will wish
to achieve basic compliance with the rules but nothing more. Others will want
to achieve best practice, while the best businesses will want to exceed both
rule and best practice requirements and actively promote the benefits of ethical
business conduct.
1.2.3 Training provision
It may not always be possible for training to be conducted by members of the

Compliance function, and in some circumstances it may be preferable for training
on procedures to be incorporated into that provided by line managers or, in larger
firms, by the Learning and Development teams. Either of these last two approaches
can encourage employees to regard compliance with procedures as an integral
aspect of their role, rather than some form of bureaucratic addition.
Where the most appropriate individual to deliver a particular lesson or message is

someone from the Compliance function, the compliance professional must use this
opportunity to engender the desired attitude towards compliance by performing
the training in an effective manner. Training is a skill in itself, beyond the remit of
this course, but the following points should be borne in mind when called upon to
present a training session.
Reduce the ‘authority gradient’ between you and the trainees. A training
session is not an exercise in demonstrating your knowledge. If the
perceived gap between you and the trainees is too large, your message
will not be absorbed.
Avoid lecturing. Instead, encourage audience participation. The more you
personalise a training message, the more likely it is that the message will
form part of a trainee’s long-term memory.
Where appropriate, explain the reasons ‘why’. Do not simply train in a
process or a system; instead, provide some context and enable the audience
to understand the background. With this understanding comes buy-in, and
in turn, a willingness to comply.
Make the training session relevant to the role of the participants by using
examples from their area of expertise.
Attention spans are very short. If you speak for longer than 20 minutes
without audience participation, most of what you are saying will not
be absorbed.
Encourage all training contributions by praising.
Use visual aids whenever possible. Most of what trainees learn comes from
what they see and not what they hear.
138
Make the training fun! If trainees are enjoying themselves they will pay
greater attention.
1.2.4 Devising individual training plans
An assessment of training needs and solutions should be conducted at the

recruitment or induction stage for all new employees engaged in the provision
of financial services. Information gleaned from compliance systems (including
breach logs, complaints, and key performance indicators and trigger events) can
be assimilated with the results of performance appraisals. The resulting information
can then be fed into the development of individual training plans.
It is difficult to overstate the importance of ensuring that adequate training is given

to all employees, irrespective of seniority. This includes board members. Remember,
the ultimate responsibility for the firm’s compliance lies with them. Make sure they
know this!
Finally, care should be taken to ensure that training is effective and current.
Training content should take into account any changes in the market, products,
legislation or regulation.
1.2.5 Training evaluation
Training needs to be evaluated for its effectiveness in engendering enhanced

awareness and increased compliance. Too much emphasis is often placed upon
the evaluation of the training by the trainees, as opposed to an evaluation of the
learning outcomes. As we have seen, improvements can be difficult to measure,
although any statistical information that helps to evaluate training effectiveness
can be useful. Compliance professionals should also consider the merits of
subsequent testing of knowledge and awareness. The results can then be used to
evaluate training impact.
1.2.6 Continuous professional development
Consideration ought also to be given to future development. A strategy should be

developed which periodically confirms competence in key areas, for example in anti
money laundering procedures. It may be appropriate to consider annual testing
strategies for certain groups of staff, for whom maintaining current knowledge is
paramount. This may include updates on regulatory developments or changes in
internal procedures or products. Another example is the regulatory requirement that
all Approved Persons receive annual training on their regulatory obligations.
Systems and procedures work only if people make them work. Their effectiveness
is dictated in part by the prevailing culture of an organisation and the attitudes
among employees that the culture engenders. Training plays a vitally important
role in the creation of a healthy compliance environment.
1.3 The Compliance function’s role in education
The type of education that the Compliance function needs to provide can be
subdivided into technical education and behavioural education (including ‘hard’
technical knowledge skills and ‘soft’ personal skills respectively).
139
1.3.1 Technical education
The technical education will be based on interpretation of the rules and principles
that apply, according to the product or service being offered. It will be tailored to
the audience, and the method of delivery will vary according to the scale of the
education required. For example, any changes in regulatory responsibilities could
require a wide programme of technical education for large numbers of employees,
whereas changes in some of the technical requirements in already established
regulated activities are likely to result in a specialised briefing to a small number of
SMEs in the relevant business areas.
1.3.2 Skills and behaviours education
Because compliance is more than just a comprehensive knowledge of technical

compliance subjects, education on the behaviours expected of the firm’s
employees is crucial. This does not apply only to customer-facing employees.
Everyone must understand what is expected of them, what the firm’s values are,
and the culture and ethics that senior management have determined for the firm.
It is possible to argue that this type of education is as important as the technical

education mentioned above. It is not just about what you do: how you do it is
equally important, and many firms have recognised this in their approach to
employee appraisals, which in turn affect remuneration packages.
Remuneration is discussed in Unit 8, section 6.
2. The adviser
2.1 Planned advice
Planned advice is given when changes, updates and amendments are known,
so that the business can plan any adjustments it needs to make, and assess their
impacts on its operations.
2.1.1 The purpose of advisory activities
By being proactive and considering the impact of change, the Compliance function
can offer the advice that business areas need to help them to respond. This ensures
that compliance is maintained in product and operational areas, or in complaint
handling, for example.
One of the critical roles of advisory activity is to prompt business reviews. If the
regulator announces new measures derived from outputs of previous thematic
reviews, then the Compliance function may liaise with the business areas in order
to decide whether risks within the firm are likely to arise from the proposed or
announced changes.
In addition, advice from the Compliance function can lead to competitive

advantage as well as maintaining regulatory compliance. By receiving advice based
on knowledge of the complete regulatory environment, and known changes, the
140
firm is in a position to be more proactive and less reactive, and therefore able to
exploit any new business opportunities that arise as a result of the new conditions.
2.1.2 Horizon scanning and regulatory analysis
It is essential to be aware of what is on or just over the regulatory horizon. This role
could be allocated to a specific team or individual in the Compliance function or, in
those firms operating the ‘three lines of defence’ model (see Unit 6, section 2.1.2), to
the risk oversight teams.
Horizon scanning involves maintaining knowledge of regulations and any

developments, through researching the regulator’s outputs. These outputs could
be consultations, speeches, press releases, or industry guidance. In addition,
monitoring the outcomes of thematic reviews and analysing final notices of
enforcement will give the firm an indication of the direction in which the regulator
is moving. This information is helpful not only in identifying where changes will
need to be made in the future but also in suggesting areas for review, so that the
firm has assurance in the compliance of its existing business activities.
2.2 Ad hoc advice
This is advice given in response to specific and immediate questions and queries,
no matter what their origin. Quite often, a large part of the compliance
professional’s time is taken up answering these types of query, but they are an ideal
opportunity to train and educate the person asking the question. We will discuss
further the skills and qualities that are required by the Compliance professional in
sections 7.2 and 7.3 of this unit.
2.2.1 The need for business awareness
Merely having a comprehensive knowledge of regulation is not sufficient to

enable a Compliance Officer to offer the right advice and training. The Compliance
function must understand the business, its markets, goals, areas of growth and
strategic plans in order to understand fully the impact of regulatory developments
on the firm.
Compliance Officers are more able to respond to ad hoc queries if they are aware
of the context, in business terms, of the questions they are being asked.
2.2.2 Impact analysis

The Compliance function will need to work with the business areas and other
assurance functions, such as legal and risk-management personnel, to understand
the impact of any developments on the business, and to undertake risk
assessments if they are necessary.
One area where Compliance function representation is essential is in involvement

in projects that are initiated to manage the changes needed in response to
regulatory development and change. Compliance professionals can offer a
consultative service in assessing the impact of regulatory change, or assessing
the effects of planned change by the business on its current and likely future
compliance, once the amendments to regulation have been implemented.
141
As with other risk-management activities, this has to be a continuous process,

because regulations are not static and will require monitoring and, where
necessary, an appropriate response.
3. Providing assurance
3.1 Monitoring plans
3.1.1 The critical importance of monitoring
In order to ensure an up-to-date assessment of the risks that the company faces
and the efficiency of the control systems that it has in place, a monitoring system
must be implemented. In most jurisdictions monitoring is also a regulatory
requirement.64 An effective monitoring programme generates the essential
information that a Compliance function requires to keep the board apprised of the
effectiveness of the compliance control framework in place.
Many firms make the mistake of concentrating their efforts on monitoring controls
that ‘react’ to errors that have already occurred. In large part this is because of poor
planning, and as a result they expend valuable resources on ‘firefighting’ to rectify
events that, with better planning, could have been avoided.
Consider the following example.
Example
A fund management company is responsible for the calculation of the daily net
assets value (NAV) of an equity fund. Each daily calculation affects the price on
that day and on all subsequent days. Owing to inadequate monitoring, the fund
management company fails to identify a material error on a particular dealing
day in January 2014. The effect of this is that all subsequent dealing prices are
incorrect. The error is revealed in October 2015, during the 2015 annual audit. It
was missed during the 2014 audit. The error results in:
an internal investigation into the cause

an internal investigation and evaluation of the impact of the error on both
past (post January 2014) and current investors
notification to the regulator
the need to instruct external counsel
the recalculation of all daily prices since the particular day in January
2014, because deals have been conducted every day since then
compensation of investors who had suffered a loss
calculation of the loss to the management company
a post-mortem to reveal why the error was missed in the 2014 audit.
This example illustrates how ‘resource hungry’ an error can be. It also demonstrates
the importance of not relying solely upon other control functions to monitor
compliance. The entire scenario could have been avoided had a real-time
monitoring system been in place.
64. In ‘principles-based’ jurisdictions, regard should be had to both the broad regulatory
principles and international best practice.
142
3.1.2 Identifying compliance risks
In Unit 6, section 1.2 we will look more closely at the methodology of risk
management, but for now let us just assume that the Compliance Officer has
identified the compliance risks inherent in the business and now needs to quantify
and evaluate them to assess the likelihood and severity of loss (often referred to as
probability and impact) should the risk materialise.
Quantifying risk is a difficult and time-consuming exercise. Often individuals have

different attitudes to risk and therefore it can be difficult to agree on a consistent
approach. While risk-modelling systems can take some of the subjectivity out of
the exercise, in the area of operational risk in particular (which is the category into
which a number of compliance risks fall) it can be difficult to accurately assess or
measure the potential loss. In many cases, the answer as to whether or not the
firm is prepared to accept the loss is ‘it depends’ – for example on the level of risk
to which the firm is exposed. It is therefore crucial to determine the firm’s risk
appetite, that is, the level of risk it is prepared to accept.
A possible outcome could be acceptance of the risk; for example, because the
impact of any loss would be small; it is unlikely to happen; or it is inherent in
running the business. Alternatively, the outcome could be the implementation of
controls for the risk.
Example: Risk acceptance
A common risk businesses face is that a competitor launches a similar product

and erodes a firm’s market share. Increased competition is a key risk for most
businesses but is generally regarded as healthy and positive. Most firms will
identify competition as a general risk. Although some mitigating actions may
be implemented to limit loss of market share in specific markets (for example,
reducing interest rates to remain competitive) most firms will accept competition
as a risk inherent in their business.
3.1.3 Self-assessment
Self-assessment can be conducted in various ways, such as a review of risk logs,

completion of questionnaires and participation in interviews and workshops
involving business line managers and the Compliance function. In these exercises,
regulatory obligations and possible reasons for failure to adhere to them are
discussed. Work processes should also be discussed and managers should
identify weak or ineffective compliance controls or those that are or can be
easily circumvented.
This form of dialogue is essential. Compliance staff are not usually as familiar
with work processes and the interface between service provision and compliance
controls as the individuals who work with them on a daily basis. The key to a
successful self-assessment exercise, therefore, is the engaged involvement of
business units.
143
In conducting successful self-assessment exercises, the Compliance function

should ensure that participants are familiar with factors such as:
product vulnerabilities
distribution channel vulnerabilities
client risk factors
legislation/regulation and any upcoming changes
relevant rules and guidance
market developments and indicators
industry best practice.
Industry best practice and international initiatives provide an important benchmark

by which existing compliance controls can be judged.
3.1.4 Reporting requirements
An effective compliance framework must provide for appropriate and timely

reporting of matters to the board or governing body (and the regulator where
necessary). This is an integral part of effective corporate governance. Escalation
processes should take into account the respective responsibilities for compliance:
for example, the board does not need to know about every minor breach that
has occurred, but it does need to receive regular reassurance that arrangements
are adequate.
The level of detail provided will depend on who needs the information and for
what purpose; for example, managers responsible for day-to-day compliance will
expect to receive a far greater level of detail and on a more regular basis than
the board. The board should regularly receive reports on risk in general and on
compliance risks in particular. Frequency will depend on the size and nature of the
firm and its risk profile, but the regulator will expect to see the board exercising its
influence in this area.
The escalation process should provide for appropriate trigger points and reporting
thresholds to ensure that serious issues are identified on a timely basis.
It is important that all staff understand how to report or escalate a compliance

breach or issue so the firm can meet its obligations for notifying the regulator of
any matter of which it would expect to be made aware. Except in certain whistle-
blowing situations, staff will usually be advised not to contact the regulator directly.
The procedure should also make clear how breaches should be recorded.
Firms are required to notify staff how to escalate matters of concern internally.
Nonetheless, if the concern is not taken seriously, employees should also be aware
of the need to ‘blow the whistle’ externally – that is, to report it directly to the
regulator or relevant authority. Whistle-blowing is covered in further detail in Unit
8, section 11.
3.2 Management information (MI)
Routine reporting will usually be based on robust MI, and should be reliable (for
example, based on sound collection systems), timely (sufficiently recent and regular
144
to enable matters to be raised at an early stage) and capable of allowing senior

management to identify trends, such as over a 3-month, 6-month or 12-month
period, as appropriate.
3.2.1 Ownership of MI
In larger firms, MI is collected at business function level and collated, analysed and
interpreted by the Compliance function. This analysis forms the basis of the reports
that will be presented to senior management – for example to the Risk Committee
and Audit Committee.
The role of the Compliance function is to confirm the validity of the data, and to
ensure that it is accurate and represents evidence of the control of those risks
that are agreed to be the most significant to the business. For these reasons, the
Compliance function owns the data it supplies. It is important to evaluate the
appropriateness of the MI.
Does it provide data on those risks that constitute critical elements of the
firm’s risk appetite in its business activities?
Does it provide enough information for the board committees and the
board itself to make the necessary strategic decisions that will ensure
continued regulatory compliance? Sound decisions cannot be made on the
basis of incomplete information.
Is there too much information? If so, it will lose impact and relevance, and
key messages could be lost.
3.2.2 Timeliness of MI
For MI to be useful and pivotal in the management of compliance risk, it needs to

be up to date. Old data may not reflect the market and operating environment of
the regulated firm as it is today. So, while there will inevitably be some time-lags
between collation of the raw data and its debate at senior committee level, the MI
needs to be as up to date as possible.
Systems solutions that are set to filter and collate data take away much of the
manual analysis from this task, but ultimately the Compliance function needs to
use its skills and experience to assess the validity and usefulness of the MI.
A good example would be MI that measures conduct risk outcomes in product

sales. Pure sales volume data would not give the audience any understanding of
whether the correct products had been sold to consumers. Instead, comparing
actual sales with planned sales, based on product target markets; determining
whether those products were sold in volumes that reflect the different sectors
of the target market (a specialist type of product is unlikely to be the top seller);
noting the percentage of sales reversed in the first 30 days; and gathering
information on product complaints – would all give much more insight into
whether the sales were suited to the demands and needs of the customers. This is
a particularly suitable illustration of sound consumer conduct activity by the firm
(we will return to consumer conduct in section 5.1 below).
145
3.2.3 The audience for the MI
For MI to be assessed by the correct decision-making body, it has to be relevant

to that decision-making body. So, using the example above, the MI on sales
performance as a conduct risk appetite metric must be reviewed by senior
management with expertise in sales conduct risk.
4. Relationship management
In order to achieve regulatory objectives, it is essential for the Compliance function,
and therefore the employees and management of the function, to identify,
establish and manage key relationships. The benefits to both the Compliance
function and the firm in achieving this should not be underestimated. It can be
crucial in establishing a strong culture of compliance and mutual respect.
There should be regular communication with a number of individuals and

organisations (see below) so that the function can achieve what is expected of it.
Some of the key relationships will be with contacts who work for the same firm
(internal relationships), while others are with those who provide services to the
firm or have responsibility for the supervision and regulation of the company
(external relationships).
4.1 Key relationships
4.1.1 Key internal relationships
Those working in the Compliance function have important internal relationships

with, at the least, the following individuals or functions:
senior management (including executive and non-executive directors)

operational line managers (including sales, product and after-sales
service areas)
internal auditors or controllers
risk management functions
group and/or head office – compliance
group and/or head office – legal
HR and training staff
project managers (including those introducing new or amended services,
systems or products)
other registered or Approved Persons/Controlled Functions within the
firm, and
all other staff.
Regardless of the broader reporting structure, the head of compliance must have
direct access to the board.
4.1.2 Key external relationships
The Compliance function also has important external relationships. Depending on

the structure of the department, these may include some or all of the following
individuals or organisations:
146
regulators – depending on the regulatory structure in the jurisdiction, this

may mean relationships with more than one
clients
financial crimes investigation units
police and law enforcement agencies, including customs
lawyers
auditors
compliance associations
trade associations and industry bodies.
4.1.3 The importance and benefits of these relationships
There are many benefits of managing internal and external relationships

proactively. This approach has the following advantages.
It establishes a primary working relationship with suitably experienced

persons who can readily understand and respond to specific requirements.
This facilitates more effective communications and coordination, establishes
credibility and helps to demonstrate that the Compliance function is
adding value.
It establishes the Compliance function as the central point for most
communications of a regulatory nature. This should produce a consistent
process and prevent misunderstandings.
It ensures that requirements and demands can be assessed and
managed on a case-by-case basis, as well as being considered from a
wider perspective.
It establishes trust that important matters will be reported fairly and
promptly. The Compliance function provides a level of comfort to key
client-relationship persons by reporting appropriately any significant
matters, following these up and ensuring certain exceptions or issues are
satisfactorily resolved. The Compliance function can also provide an expert
in-house view on matters concerning the firm.
It should mean that the Compliance function’s collective knowledge remains
current and informed. This allows it to provide management and staff with
up-to-date direction on specific regulatory and compliance matters.
A level of confidence and trust may be required in order to exchange complex or

sensitive information between parties. A compliance professional who manages
key relationships well on behalf of the function can ensure that such situations are
dealt with smoothly.
Ultimately, an in-house Compliance function can provide a valuable service to

the wider business. Compliance professionals need to ensure that this service is
as effective as possible. In order to gauge this, the Compliance function should
educate the business on the service that it will commit to providing and then
encourage constructive feedback on such issues as:
the level of support provided

the degree of pragmatism demonstrated
commerciality
approachability
responsiveness.
147
Open and honest feedback will help a Compliance function to improve the quality
of the service it provides, which in turn should help the firm as a whole.
5. Conduct of business compliance

For the purposes of this section, we will assume the following are the common
core international objectives of regulation;
protecting investors
maintaining confidence in the financial system
preserving market stability.
The first of these is a consumer conduct objective, whereas the second and third
are part of the market conduct agenda.
We will now consider each of these objectives in more detail.
5.1 Consumer conduct
The consumer conduct agenda refers to how a firm or an organisation interacts

with its customers. Expressed differently, the question asked is ‘how does the
firm behave in its dealings with all its customers’? The current consumer conduct
agenda can be seen as the natural progression of the increased focus on ensuring
that customers are treated fairly.
As we have already discussed in Unit 1, section 3.1, protecting consumers is

perhaps the most fundamental aim of regulation. This in itself contributes to the
achievement of the other objectives, maintaining market confidence and market
stability. Whether a customer is depositing wages in a bank account or investing
billions of pension fund assets with a fund manager, they both have broadly
similar concerns.
Is the provider secure so that customers can access their money when they
need it?
Can the provider be trusted to look after their investments so that they will
get back the sums invested (and any return due on them)?
If something goes wrong, for example the provider goes out of business, will
their investment be protected? Would they be eligible for compensation?
Protection designed to satisfy these concerns is achieved in a number of ways.

Generally, only authorised firms can offer financial services. Before being permitted
to offer financial services, firms must meet and maintain certain requirements,
called threshold conditions, which include the ‘fit and proper’ requirement for
senior management.
Regulators set conduct of business rules designed to provide customers with all the
information they need, both pre-and post-sale. These disclosure requirements are
at the very heart of consumer conduct requirements as customers must either be
able to rely upon any advice received from an authorised firm, or be given sufficient
information to be able to make a fully informed decision themselves. Failures in
disclosure have been the underlying cause of many of the mis-selling scandals.
148
Regulators must then supervise authorised firms and monitor their activities to
ensure that they are meeting the required standards; regulators have powers
to investigate and take enforcement action against firms that fail to meet the
required standards. Rules and supervision levels vary according to the type of
product or market sector in which a firm is operating, with more risky products
generally attracting more stringent rules and closer oversight by the regulator. But,
at their heart, the rules all focus on ensuring that the right amount of balanced
information, highlighting the risks, is provided to the customer as part of any sale,
redressing the issue of information asymmetry (see Unit 1, section 3.1.1).
Given the very diverse nature of the customer base, it is usual to weight the
protection in favour of those who are least experienced, such as individual
customers dealing on their own account, and small businesses, which also enjoy a
high level of protection. Substantial businesses and experienced investors investing
their assets are expected to have some knowledge and understanding of the
transactions they are undertaking.
5.1.1 Examples
Complaint handling is a good example of consumer conduct compliance, where

firms need to have robust policies and procedures in place in order to demonstrate
their commitment to high standards of consumer conduct. This is because the
way a company deals with complaints forms a key component of the regulator’s
expectations about fair treatment of customers, requiring that there should be no
barriers to prevent customers from complaining, and that the procedures in place
take into consideration how each complaint is dealt with and the consistency of
approach and response. The firm must make changes where trends are identified.
The penalties for mis-handling complaints can be severe. Examples have been seen
in the UK. In January 2011 the then UK regulator, the FSA, fined RBS and NatWest
£2.8m for responding inadequately to more than half the complaints reviewed by
the FSA. The cost of mitigation actions and the reputational damage done would
have been considerably more than this. More recently, in July 2013 the Financial
Conduct Authority (FCA) fined Policy Administration Services Limited (PAS)
£2,834,700 for poor complaints handling between June 2009 and September 2011,
including failing to identify the root causes of recurring issues and put them right.
In designing complaint-handling systems, Compliance functions should take into

account a number of different factors. These include the size of the organisation,
the nature of the business it undertakes and the likely complexity and/or number
of complaints that could be received. These factors must sit alongside specific
regulatory requirements for the jurisdiction, as well as other considerations (such as
the aforementioned treating customers fairly expectations, for example). The same
type of complaint-handling system will not be a suitable model for all businesses.
Complaint-handling procedures usually specifically deal with:
how customers are able to make complaints

the receipt of complaints
response to complaints
the investigation of complaints
149
time limits
resolution
escalation rights
root-cause analysis.
Complaints can be received by any employee within the company. Procedures

should therefore ensure that all employees are aware of how to recognise a
complaint and how to deal with it once received. This requires adequate training
to be provided to all employees. This is an area that is often overlooked. Even
where training is given, there is generally weak monitoring of performance in
the handling of complaints. Where this is attributable to management
complacency, the regulator is likely to treat it as a serious breach of systems
and controls requirements.
In order to avoid conflict in the handling of complaints, organisations should

ensure that complaints not capable of immediate resolution are handled by
employees who are not directly or indirectly implicated in the subject matter of
the complaint.
It is important that all customer complaints are handled promptly. Effective and
timely handling of a complaint can defuse situations that might otherwise escalate.
Therefore, documented procedures should specify time limits within which
complaints should be resolved.
If a complaint is not suitable for immediate resolution (which is generally

defined as ‘by close of business on the working day after receipt’) this should
be acknowledged in writing. The response should include details of the person
responsible for handling the complaint and an outline of the firm’s complaint-
handling procedures. It is also useful to outline the firm’s understanding of the
nature of the complaint to ensure that both parties have mutual understanding,
in order to avoid further conflict. The objective is for the process to be transparent.
A firm should aim to resolve complaints within the shortest period of time possible,
while also meeting the required standards of quality. Time limits should be
prescribed within internal procedures in line with regulatory requirements. At the
expiry of such limits, an organisation should issue one of the following:
a reasoned rejection of the complaint, or

an acceptance of the complaint including, if appropriate, an offer of redress.
Complex or detailed complaints may take longer to investigate.
At the end of the investigation period, complainants who remain dissatisfied with
the outcome may refer their case to the regulator or other independent body
established to complete an impartial review (often known as an Ombudsman).
Compliance teams must make themselves fully aware of the prescribed time
periods for resolving complaints, and at which prescribed points complainants
must be made aware of their future referral rights.
Difficulty sometimes arises in defining what constitutes a complaint. For example,

if during a telephone conversation an existing client comments that he is unhappy
150
with the time that it has taken for the phone to be answered, is he making a
complaint that should trigger the formal complaint-handling procedure?
All complaints should be referred routinely to a designated, competent complaint-

handling function. The Compliance function should monitor progress against
both internally prescribed and externally imposed time limits, ensuring that rule
requirements are met and accurate records maintained.
5.2 Company conduct
Regulatory expectations are that firms must determine their own approach to
conduct and conduct risk – which consequently places consumer interests and
market integrity at the heart of the firm’s approach.
Firms publish their codes of conduct externally and internally. There are other
ways in which firms can communicate their conduct expectations and these are
a fair measure of how seriously conduct is taken at senior levels within the firm.
Other examples that are used include; training and guidance, including but not
restricted to annual refresher training, and conduct standards being introduced
early in the career of new recruits; key information messages describing and
illustrating the core components of good conduct; and we must not forget the
importance of boards and the senior management establishing the ‘tone from
the top’, which sets out the cultural and conduct agenda for the firm.
Individual employees can therefore review and understand the conduct standards
that are expected of them by their firms because they may be required to sign
up to and agree with set codes of conduct, and will be receiving regular updates
and keynote messages from senior management. This needs to be supplemented
by employees thinking for themselves about what conduct means to them.
A good personal checklist suggests that employees ask themselves the

following questions.
Is the action or proposed action legal and does it meet regulatory standards?
Does it comply with the letter of internal policies and procedures?
Does it comply with the spirit of internal policies and procedures?
How would it look if it was reported in the media? Would it appear to be
wrong, or would it make you embarrassed?
Other resources that are available for employees to use to help them understand
their firms’ approach to conduct include:
line management or supervisors, because they have day to day

responsibility for that area of the business
HR, for employee-related issues concerning colleagues or management
legal departments, if there are concerns on how conduct may be impacted
upon by legislation
compliance functions, whether at business unit, divisional or group level,
as the compliance professionals can help with concerns regarding policies
and practices
151
an advice line, which may help employees to feel secure about discussing
conduct concerns and possible conduct risk implications.
5.2.1 Understanding your firm’s definitions of conduct risk
It is important to remember that understanding conduct is far more than just

another sales compliance programme, because this fails to understand the extent
to which conduct overlays the whole of the value chain. A good approach would
be to ‘follow the money’ as this exposes potential areas of customer detriment
by looking at those areas of the business where significant revenues come from
and therefore where significant profit can be made. Strong profitability does not
necessarily mean there are conduct issues – rather it is just one of many indicators
that there is the potential for these risks, and it serves as a pointer to areas for
further investigation.
Contributory factors feeding into the conduct risk definition include answers to
the following questions.
How complex is the product, and how does this relate to the sophistication
of the end consumer?
Is the product actively requested by the consumer, or is it just an add-on
or ancillary product to add to an existing portfolio?
What other suppliers are there competing in the market, and what is the
size of the market?
Is it easy for the consumer to withdraw from any contract with no
negative consequences?
Can the impact of poor conduct be measured for both the customer and
the company?
How important is the product for the firm’s overall business?
How profitable is the product?
Answers to these questions help to formulate an understanding of the firm’s

definition of conduct risk because the questions ask about more than just an
approach to delivering sales that meet customer needs.
The importance of the value chain means the following processes need to
be reviewed.
a) Product development and governance: are conduct risk criteria integrated

into new product approval and governance processes? Are positive
outcomes defined, and are there corresponding metrics and indicators of
emerging risks?
b) Is there effective customer segmentation to cover variables such as financial
experience, eligibility for products, tolerance for loss, etc.?
c) With regard to sales, are there formalised and upgraded salesforce standards
and training which link qualifications to sales authority? Is documentation
robust enough to demonstrate suitability and does outcomes testing
development lead to improvements?
d) Post sales servicing and complaints – is there adequate monitoring of
sales process and product performance and comparison with complaints
volumes, and identifying any correlations with the conduct risk exposure of
products and processes?
152
5.2.2 The benefits of good conduct
Improvements to conduct of business standards can have benefits other than to

compliance with laws and regulations.
Commercial benefits
The role of business in an open market economy system is to create wealth for
shareholders, employees, customers and society at large. No other human activity
matches private enterprise in its ability to marshal people, capital and innovation
under controlled risk-taking, in order to create meaningful jobs and produce goods
and services profitably – profit being essential to long-term business survival and
job creation. Examples of the commercial benefits that can be gained include
the following.
The reduced cost of regulatory enforcement actions and the costs

associated with this (the impact of regulatory fines on the firm, the cost
of remediating affected customers, and compensation payments that are
due, the diversion of resources to fix problems instead of being engaged in
revenue-generating activity)
Increased customer loyalty and persistency rates so that existing customers
are more likely to deepen their relationships and to purchase additional
products or services
By establishing systems and controls, management information production
and reporting structures and arrangements firms are more aware of the
‘state of play’ in their business, and are therefore more able to anticipate
future change requirements.
Firms can effectively reduce their costs of compliance by being more proactive and
less reactive as this is more efficient.
Reputation
Firms can enjoy the benefits of improvements to their reputation in the eyes of
consumers through the reduced risk of high profile actions being taken against the
firm. This leads to a likelihood of increased sales opportunities, not only with new
customers, but also with existing customers as the company continues to be the
product or service provider of choice.
In addition to this, consideration needs to be given to reputation within the

industry, and reputation with the regulator. This latter benefit could manifest itself
with less intensive regulatory supervision and a more consultative approach from
the regulator, rather than the risk of a confrontational approach.
Finally, there is the reduced possibility of negative publicity, which could in turn
lead to consumer boycotts and a damaged public image.
Within the wider community and society
A link between good conduct, well managed conduct risks, and corporate social
responsibility can be established. The International Chamber of Commerce (ICC)
has considered the links between business conduct and making a positive and
responsible contribution to society.
153
Growing numbers of firms have been adding environmental and social indicators
to their economic and financial results in reports that are often titled as social
reports or sustainability reports. Indeed, sustained profits and good conduct are
mutually supportive and an increasing number of companies view corporate
responsibility as integral to their systems of governance. The ICC prefers the
terms responsible business conduct or voluntary corporate initiatives to
corporate social responsibility. Whichever term is preferred, it is part of the
requirements for doing business in today's global economy.
A company must develop its own understanding of how its principles or

behaviour relate to external expectations or to external codes, guidelines
or expectations. Internal monitoring of compliance, external reporting of
performance, and independent assurance are matters that should be decided
by the companies themselves. As already mentioned, responsible business
conduct may improve companies’ public image, give them a strategic advantage
over competitors in the long-term and help them to make their management
systems more effective. However, it may also place companies in a more
favourable legal and political environment.
Market forces, the demands of customers, and scope for pre-empting government
legislation, all provide further incentives. Responsible business conduct may
improve long-term profitability and the ability of companies to obtain a greater
share of world markets. These positive consequences of the exercise of corporate
responsibility make it a farsighted and profitable business policy.
5.3 Market conduct
Market conduct can be defined as the interaction between the firm and the
markets within which it operates. It is often linked very closely with market abuse
as it tends to be market abuse cases that cause the most damage to confidence in,
and the stability of, financial markets. Market abuse is examined in Unit 9, section 7.
Other market conduct requirements, such as producing accurate, audited accounts,

help promote transparency in the financial markets and, consequently, trust.
Should that trust be lost it can take a very long time to regain and have a significant
impact upon confidence and stability in that market.
There are many rules and plenty of guidance related to market conduct. How can a
firm ensure that it is not only meeting its regulatory obligations, but also observing
industry best practice?
Most firms take a three-step approach. Firstly, the firm has policies in place,
outlining the regulations, staff responsibilities and obligations to ensure that these
are met. These policies should include, as a minimum:
a conflicts of Interest policy

a personal account dealing policy
an order execution policy, and
a high-level policy relating to market conduct, which would incorporate
reference to market abuse.
154
Secondly, the firm provides training to all staff, and additional training in higher-
risk areas, where appropriate. The purpose of this is to ensure that employees
understand the policies, and their responsibilities and obligations.
Finally, the firm must ensure that there is a robust monitoring plan in place so that
if there are breaches of market conduct requirements, or if incidents of market
abuse take place, the firm is able to identify these, and report them to the regulator
as soon as possible.
5.3.1 Market confidence
Market confidence is at the heart of a stable financial services system. This makes
it the cornerstone of regulation and it is closely linked to the other core objectives,
particularly consumer protection. To be confident, a customer or investor needs to
trust that the market is operating fairly. Confidence in the market is critical to the
viability of national and global economic interests. Like other markets, financial
markets are dependent on customers doing business with them. The markets rely
on the conduct of transactions, for example customers depositing their money
in a bank account, paying bills, borrowing money on a residential mortgage or
unsecured personal loan, using their credit cards, trading stocks and shares, taking
and laying off financial risks, and investing for the future.
If customers lose confidence in the market, they will stop doing business with
financial services companies. When this happens, it is not just the financial services
industry that is affected; the whole economy suffers.
Consumer confidence can be affected very quickly and can be lost easily.
Confidence can be lost in seconds but restoring it takes time, in some cases, years.
During the global financial crisis we have seen well-established names such as
Bear Stearns, Lehman Bros and the UK’s HBOS destabilised in a matter of days, their
strong track records and sound reputation providing no immunity from consumer
and investor concerns in prevailing conditions. Market confidence can no longer be
viewed solely in terms of the local (i.e. national or regional) market.
5.3.2 Examples of failures to maintain proper market conduct
The recent financial crisis provides a rich source of examples but it is not the
only incidence of loss of market confidence. Over the years the financial services
industry has been rocked by a series of financial scandals that have adversely
affected confidence in the market or the regulatory system on a national or
international basis.
In 1995, Barings Bank, one of the oldest and most respected names in British
banking, collapsed after an employee, Nick Leeson, accrued losses of over £800m.
The losses arose from unauthorised derivatives trading by Leeson, who was based
in Singapore but managed from London. The cause of the collapse was attributed
to a lack of systems and controls, in particular of appropriate oversight of trading
activities. This led to a regulatory review of systems and controls, including senior
management responsibilities.
155
In 2001, Enron, one of the US largest companies, collapsed following allegations of

false accounting. Fraud and weak systems and controls, in particular poor corporate
governance, were blamed for its downfall. This prompted widespread reforms in
relation to international accounting standards and corporate governance (see Unit
3, section 1.2.1).
Each emerging scandal damages consumer confidence further. The loss of

confidence in both the above examples was significant, owing to the levels of
trust that the businesses had previously inspired. Trust may take years to build but
is easily lost. In order to restore confidence, it is usual for regulators to respond
to scandals by tightening or amending regulation to prevent a recurrence of the
problems. Both the LIBOR and the FOREX scandals already discussed are also
examples of poor market conduct.
5.4 Market stability
Maintaining the stability of the market is critical to maintaining confidence.

Freedom to take legitimate risks is an essential feature of a healthy market, but a
minimum level of standards is required to ensure that companies are robust, and so
able to withstand market shocks and risks arising from their business model.
Common features of international regulation include requirements that:
firms have robust internal controls and risk management practices to cope
with the risks they take from day to day
firms have sufficient liquidity (in other words, money in the bank) to meet
their obligations as they arise
senior managers responsible for running the firm meet appropriate tests of
honesty and personal integrity, competence, skill and experience.
In most sectors, minimum capital requirements are formulated by international

bodies and adopted into local regulation.
In Europe:
banks and investment firms must adhere to standards implemented

through the Capital Requirements Directive (CRD), which incorporates
Basel requirements; CRD4 is in the process of being implemented now (see
section 6.2.3 below)
insurance firms must adhere to capital standards implemented through the
Solvency II Directive.
A move towards risk-based capital requirements means that after meeting

minimum standards, firms have to calculate and allocate the additional capital
required to support the specific risks that they run, having regard to their size,
business and markets.
In setting standards, regulators aim to instil confidence in the market as a whole,

rather than in individual firms. As a result, regulators have not historically set out
to prevent individual firms from failing. Nonetheless, since the collapse of a large
provider could itself adversely affect market confidence, recently we have seen
regulators step in to prevent failures in these circumstances.
156
5.4.1 Examples of potential threats to market stability
Lehman files for bankruptcy
In the US, there was a sense of shock that a firm such as Lehman Bros – established
in 1850 and perceived as one of the pillars of the investment community – could be
allowed to fail. Yet no rescue package was forthcoming. As an investment bank, its
failure, while shocking, did not directly affect the average man in the street and was
therefore not expected to significantly reduce wider market confidence.
Support for Fannie Mae and Freddie Mac
Compare the Lehman Bros case with that of Fannie Mae (short for Federal National
Mortgage Association) and Freddie Mac (short for Federal Home Loan Mortgage
Corporation). The collapse of these mortgage guarantors would have had a
potentially catastrophic effect on market confidence. The US government therefore
stepped in to guarantee the businesses. Fannie Mae and Freddie Mac do not lend
directly to homebuyers but buy mortgages from approved lenders and sell them to
investors. Between them they guarantee or own roughly half of the US mortgage
market. Almost all US mortgage lenders, large or small, rely on Fannie Mae and
Freddie Mac to some extent. Both continue to trade under the watchful eye of
the regulator.
6. Overseeing prudential compliance

Prudential regulation is the means by which the stability of the financial services
industry is underpinned. It takes two forms: macro-prudential regulation and
micro-prudential regulation.
Macro-prudential regulation focuses on issues relating to the stability of the

financial system as a whole. It is in essence a rules-based form of supervision.
Although there are occasions when an element of supervisory discretion may be
allowed, it is important that this is constrained.
Micro-prudential regulation deals with the stability of individual institutions and

is concerned with the responses of individual financial services firms to risks from
outside sources.
In both cases the overriding objective is to protect depositors. To achieve this,

standards are applied that aim at reducing the risk that an institution will fail owing
to a lack of capital. The need to ensure capital adequacy has been prominent in
the minds of regulators since prudential regulation was first introduced in the
early 1970s. Even so, some financial commentators are of the opinion that a lack of
liquidity, rather than insufficient capital, led to the financial crisis.
6.1 Senior management responsibilities
There is a close relationship between prudential regulation and corporate

governance, and senior management is responsible for this. As the term implies,
corporate governance is about the way in which an organisation is governed, and
this governance should be for the benefit of its stakeholders. The Organisation for
157
Economic Co-operation and Development (OECD) has described its purpose as

‘maximising value subject to meeting the corporation’s financial and other legal
and contractual obligations’.
Senior management responsibilities were explained in some detail in the Basel II

rules, which were published in 2001. Banks were expected to ensure that robust
internal capital-assessment processes were in place and that these set realistic
targets for capital adequacy in line with the level of risk involved. Furthermore,
credit assessment procedures would need to be sufficiently robust to stand up
to external scrutiny by the regulators. The past practice of ‘box-ticking’ would be
replaced with more in-depth probing by regulators.
The Basel Committee was of the opinion that the proposals would also require a
more detailed dialogue between the regulatory supervisors and banks. This, in turn,
would have implications for the training and expertise of the regulatory supervisors
of banks. This was regarded as an important issue, and one which should not be
underplayed, for supervisors’ ability to perform their role effectively would depend
to an extent on their experience and training.
6.1.1 ‘Fit and proper’ requirements
Example: British Virgin Islands
The BVI Financial Services Commission (FSC) issued its amended guidelines for
its Approved Persons Regime in March2009, as amended in December 201365.
The following extract explains clearly the purpose of the guidelines and the
expectations and duties required of senior persons in financial services firms
regulated in that jurisdiction.
These Guidelines are designed to assist the Financial Services Commission in the
consideration and approval of applications for the appointment of senior officers,
including applications relating to the approval of actuaries, auditors and other
independent officers pursuant to any financial services legislation. These Guidelines
outline senior officer duties and responsibilities and incorporate a set of rules
governing the process and procedure for the approval of senior officers of a regulated
person and actuaries, auditors and other independent officers.
A suitable candidate for a senior officer position must be qualified and have
appropriate experience. In order to be appointed as a senior officer, a candidate must
demonstrate a high level of competence and integrity. Before granting approval of
an application for a senior officer, the Commission must be satisfied that the person
to whom the application relates is fit and proper in accordance with the criteria
established in Division 2 of Part II of the Regulatory Code, 2009. The Commission
exercises judgement and discretion in assessing fitness and propriety and takes into
account all relevant matters including honesty, integrity, reputation, competence,
expertise, experience, capability and financial soundness. These criteria have equal
application to the consideration of applications for the approval of actuaries, auditors
and other independent officers, whose qualifications and experience are generally
covered under their respective applicable financial services legislation.
65. http://www.bvifsc.vg/Portals/2/FSC%20Approved%20Persons%20Regime%202009%20
%282013%20Consolidated%29.pdf
158
The Commission holds the regulated person directly responsible for the conduct of its
senior officers, including the performance of their duties, and hence the importance
of recommending suitably qualified persons to be approved for appointment as
senior officers. Therefore a candidate for approval as a senior officer must be familiar
with the business activities of the regulated person, relevant legislation governing
the conduct of the regulated person, and the structure of internal controls within the
regulated person. The candidate must also have the knowledge and professional
competence to efficiently conduct the business of the regulated person.
In the extract, the FSC refers to the firm as the ‘regulated person’ so it can be seen
that their Guidelines refer to both firms and to individuals.
6.2 The Basel Accords
The Basel Accords are the work of the Basel Committee on Banking Supervision
(BCBS), a committee of banking supervisory authorities established by central bank
governors of the G10 countries in 1974 (see Unit 3, section 1.3.2). Its Core Principles
are a framework of minimum standards for sound supervisory practices that are
considered universally acceptable.
6.2.1 The Basel Accord – Basel I
Following its introduction in July 1988, Basel I (as it has since become known) was
adopted by banking systems in more than a hundred countries. Under Basel I every
bank was required to have a minimum solvency ratio of 8%. This means that its
capital had to be at least 8% of its risk-weighted assets. Where the ratio dropped
below the required level the bank concerned was required to reduce its lending or
increase its share capital.
6.2.2 Basel II
The New Capital Accord (Basel II) was published by the Basel Committee in January
2001 following extensive discussion and consultation by the Committee dating
back to June 1999, when it was recognised that since the first accord was drafted
there had been considerable advances in the way in which banks managed their
risks, with a more risk-based approach being in evidence.
Governors of the G10 central banks also believed that international capital
had become dangerously low owing to erosion resulting from the increasingly
competitive environment in which the banks now operated. Their deliberations led
to the conclusion that, to ensure an adequate level of capital in the international
banking system, banks could no longer build business volume without ensuring
that there was adequate capital available to support it. The Committee was also
keen to create a more level playing field across the financial services sector.
The Committee stated that:
The New Accord seeks to improve on the existing rules by aligning regulatory capital
requirements more closely to the underlying risks that banks face. It intends to promote
a more forward-looking approach to capital supervision, one which encourages banks
to identify the risks they may face, today and in the future, and to develop or improve
159
their ability to manage those risks. It will be more flexible and better able to evolve with
advances in markets and risk management practices.
Principle 6, which related to capital adequacy, stated:
Supervisors must set prudent and appropriate minimum capital adequacy

requirements for banks that reflect the risks that the bank undertakes, and must
define the components of capital, bearing in mind its ability to absorb losses. At least
for internationally active banks, these requirements must not be less than those
established in the applicable Basel requirement.
The overriding aim of Basel II was to make the international financial system more
stable, by putting in place incentives for banks to:
adopt improved risk management procedures

apply risk mitigation and risk pricing techniques
align the amount of capital held more closely with economic risk.
The new rules would also allow supervisors to stipulate more stringent disclosure
requirements, ensuring the soundness of the financial system while, at the same
time, increasing the role played by the markets. Although the 8% ratio requirement
would be unchanged, it was argued that this single measure was no longer suitable
because it failed to take account of variations in risk management across the world.
Consequently, it was decided that a more risk-sensitive framework was required
which would reflect the technological developments that had taken place in
recent years.
Basel II therefore placed greater emphasis on individual banks’ own internal

methodologies, as well as their supervisory procedures. It also encouraged
investment in more risk-sensitive models, providing incentives for banks to
undertake better risk management and was intended to enhance market discipline.
The Accord consisted of three pillars.
Pillar 1 covered minimum capital requirements, new rules for credit

and operational risk, and encouraged the use of internal controls and
management.
Pillar 2 covered the supervisory process.
Pillar 3 covered market discipline.
The aim of the Basel II Accord was to improve the measurement of risk, which
is the denominator of the capital ratio. While the market risk measure remained
unchanged, the enhancements to credit risk meant that some banks would be
allowed to use their internal ratings to calculate the minimum required regulatory
capital to be set aside.
It was expected that all three pillars would have implications for the G10 banks,
investment firms and specialist institutions, such as the asset management
industry, in the European Union. At the time it was issued, there was some
concern that the new regulations might lead to transference of business from
banks to non-banks.
160
From the supervisory perspective, the Accord was expected to place greater
emphasis on internal risk assessment, requiring supervisors to ensure that
consistent risk-management standards were being applied across all financial
firms. This point was underlined in the following explanatory note appended to
the Accord document, which read:
The role of the supervisors is ‘to ensure that each bank has sound internal processes in
place to assess the adequacy of its capital based on a thorough evaluation of its risks’.
From a practical point of view the implications of the changes applicable to the
supervisory function were very significant and possibly onerous. For their part,
banks were expected to ensure that robust internal capital assessment processes
were in place and that these set realistic targets for capital adequacy in line with
the level of risk involved. Furthermore, credit assessment procedures would need
to be sufficiently robust to stand up to external scrutiny from the regulators. The
past practice of ‘box-ticking’ would be replaced with more in-depth probing by
regulatory supervisors.
Although banks were generally in favour of the new regulations, Basel II has come
in for a considerable amount of criticism from the time it was been conceived to
the present day. Critics were sceptical from the beginning, for a variety of reasons,
including the following.
Although the authors of the second Accord intended to create a ‘level

playing field’, some banks expressed concerns about the effects of giving
regulators such a degree of discretion in interpreting the regulations. These
concerns applied in particular to Pillar 2.
In the UK, the British Bankers’ Association (BBA) argued that ‘the scope for
national differentiation in the application of these standards is the single
most significant issue in the consistent application of the new Accord‘.
The use of internal risk assessment methodologies could create an incentive
for banks to design internal ratings systems that would underestimate credit
risk, leading them to reduce their regulatory capital requirement.
This was a real concern for a number of commentators, who were of the
view that it could result in the manipulation of ratings to avoid intervention
by the regulators. By the time this came to light, the bank could be facing
bankruptcy (subsequent events proved that this particular concern was not
without some justification).
The capital measurement framework was regarded by some as being
dangerously pro-cyclical.
In view of the fact that risk estimates were to be based on past loss experience,
it was feared that banks would hold too little capital when the economy is
growing and too much in a downturn. Consequently, lending levels would not
be restrained sufficiently in boom times, while the reverse would apply during
periods of recession.
6.2.3 Basel III and the fourth EU Capital Requirements Directive (CRD4)
Basel III represents a further attempt to implement effective regulation of the

financial services sector in the light of the lessons learnt from the 2007–8 crisis.
161
It has been described by Jaime Caruana, general manager of the Bank for
International Settlements, as a ‘fundamental turning point in the design of
financial regulation‘.
Some argue, however, that it does little more than build on the regulatory
framework that has dominated international banking standards since the mid-
1980s. Nonetheless, it undoubtedly attempts to rectify some of the most significant
shortcomings of the earlier Accords, such as the issue of the neglect of liquidity and
the fact that banks were under-capitalised in the lead-up to the crisis.
The measures on liquidity are arguably one of its most radical steps. By introducing
international standards, in parallel with the Capital Accord, the Basel Committee
has fulfilled an ambition it has long held. In the past it was hampered by factors
such as the amount of time and effort devoted to negotiating the capital standards,
the divergent views of its members concerning control of the liquidity risk and the
differing structures of money markets. The Committee has now proposed a set of
global minimum liquidity standards that are intended to make banks more resilient
to short-term problems in accessing funding. There are to be two standards, the
Liquidity Coverage Ratio and the Net Stable Funding Ratio.
The Liquidity Coverage Ratio
This ratio requires banks to have sufficient high-quality liquid assets to withstand
a 30-day stressed funding scenario, as specified by their regulator. The Basel
Committee published the full text of the revised Liquidity Coverage Ratio (LCR)
following endorsement on 6 January 2013 by its governing body, the Group of
Central Bank Governors and Heads of Supervision (GHOS). The LCR is an essential
component of the Basel III reforms, which are global regulatory standards for bank
capital adequacy and liquidity, endorsed by the G20 Leaders.
As intended, the LCR was introduced on 1 January 2015, but the minimum
requirement begins at 60%, rising in equal annual steps of 10 percentage points
to reach 100% on 1 January 2019. This graduated approach is designed to ensure
that the LCR can be introduced without disruption to the orderly strengthening of
banking systems or the continued financing of economic activity.
The Net Stable Funding Ratio
This is designed to force banks to raise more long-term debt. A longer-term

structural ratio, it requires banks to use more stable funding sources, and it covers
the entire balance sheet. Some of the finer detail is yet to be completely finalised,
which is possibly because the proposals have met with a considerable amount of
resistance from within the financial services sector. It has been agreed that both
ratios will only be introduced after an ‘observation’ period. This is expected to delay
full implementation, possibly for many years.
Minimum capital requirement
There is also to be a re-defining of the term ‘regulatory capital’ as, at present,

as little as one-quarter of the standard 8% capital ratio could be formed out of
the highest quality capital (core Tier 1 capital). Basel III will ensure that a larger
162
proportion of the capital base has to be formed by capital with the best loss-
absorbing capacity. At the same time, the Committee has more than doubled the
minimum core Tier 1 capital requirement from 2% to 4.5%, while Tier 2 capital,
comprising instruments such as subordinated debt, is subject to a tightening in
terms of amount and qualifying conditions.
In reality, the capital requirement will be higher than the headline figure suggests,
owing to the conversion factors that apply to each of the tiers. For example, the
capital conversion buffer has to comprise entirely Tier 1 capital. This effectively
increases the core Tier 1 requirement from 4.5% to around 7%.
A bank that fails to meet the capital conversion requirement will be faced with
restrictions on its ability to distribute earnings in the form of dividends or bonuses
until the buffer is restored. The regulator will impose these restrictions.
Core Tier 1 will also be subject to a counter-cyclical capital requirement, which has
the potential to further increase the requirement at the height of an economic
boom, possibly reaching a figure approaching 9.5%. The actual level of the buffer
will be decided by the regulators but the concern is that they may not have
sufficient independence to impose such stringent measures.
Another issue that concerns some commentators is that the methodology for
calculating the capital requirement is somewhat suspect. This is expressed as a
ratio of capital (the numerator) to assets (the denominator), with lower-risk assets
being subject to a range of discount factors. Whether banks hold sufficient capital
depends on whether the denominator is a true reflection of the risk involved.
Furthermore, banks can choose how they calculate the denominator, using either
rating agency assessments or their own internal credit-assessment systems.
Implementation of a leverage ratio requirement has begun, with bank-level

reporting to regulators of the leverage ratio and its components required since 1
January 2013, and public disclosure started from 1 January 2015.
Below is a summary of the key requirements of the Basel III Accord.
1. The capital base
Raise quality of capital – focus on core Tier 1 capital

Eliminate ‘innovative’ instruments from Tier 1
Additional deductions from Tier 1 (full deduction by 1/1/2018):
a. intangibles (e.g. goodwill)

b. investments in own shares
c. Tier 1 instruments not meeting the definition of Tier 1
d. minority interests in financial subsidiaries
e. deferred tax assets
f. mortgage servicing rights
g. investments in other financial institutions above an
aggregate threshold of 15% of the reporting bank’s capital
163
Only limited inclusion of non-equity elements in Tier 1 toughen Tier 2 capital
2. Increase the quantum of capital
Banks must have a minimum ratio of 8%, of which 6% must be Tier 1

Remaining 2% can be met by Tier 2 or other eligible capital
Minimum core Tier 1 capital of 4.5% as of 1/1/2015
Total Tier 1 requirement of 8.5%, as of 1/1/2019
Total capital requirement (Tiers 1 and 2) of 10.5% as of 1/1/2019
3. Enhanced capital charges for securitisation and off-balance sheet exposures
July 2009 new securitisation and trading book requirements

Draft new counterparty credit risk charges and requirements
4. New 3% leverage ratio
Based on Tier 1 capital only

Will include off-balance sheet exposures at 10% credit-conversion
factor
5. New liquidity standards
Liquidity coverage ratio – to cover short-term cash demand

Net stable funding ratio – to cover an extended period of stress
6. New capital buffers
Capital conservation buffer: 2.5% of Risk Weighted Assets (RWAs)

Countercyclical buffer (0–2.5% of RWAs)
The Capital Requirements Directive IV (CRD4)
In July 2011 proposals for the Fourth Capital Requirements Directive (CRD4) were
adopted by the European Parliament and closely reflect the Basel III framework.
As Basel III is not law, but rather an evolving set of international standards, its
recommendations will need to be transposed into EU law and the national law
of EU member states. The Commission’s legislative proposals on CRD4 seek to
transpose the Basel III standards into EU law, in the form of a directive and a
regulation. The regulation details the prudential requirements for credit institutions
and investment firms and covers the following aspects.
Capital – CRD4 increases the minimum amount of their own funds that
banks are required to hold, as well as the quality of those funds.
Liquidity – CRD4 improves the short-term resilience of the liquidity-risk
profile of financial institutions (the exact composition of which will be
determined after an observation and review period in 2015).
Leverage ratio – this limits an excessive build-up of leverage on credit
institutions’ and investment firms’ balance sheets (the ratio is to be subject
to supervisory review which will be closely monitored prior to a binding
requirement in 2018).
164
Counterparty credit risk – CRD4 encourages banks to clear over-the-counter

(OTC) derivatives on central counterparties.
CRD4 creates a single rulebook to address divergent national rules and is
directly applicable without the need for national transposition, creating a
single set of prudential rules to be applied within the EU market.
This new Capital Requirements Directive not only covers some areas of the
previous one, CRD, but also includes the following new elements.
It enhances corporate governance, introducing new rules to increase the

effectiveness of risk oversight boards, ensuring that regulatory supervisors
monitor risk governance effectively.
It creates dissuasive and proportionate sanctions that regulators can
apply, for example administrative fines of to 10% of an institution‘s
annual turnover.
It introduces capital buffers on top of the minimum capital requirements: a
capital conservation buffer identical for all banks in the EU and a counter-
cyclical capital buffer to be determined at a national level.
CRD4 enhances supervision to reinforce the regulatory regime with
the annual preparation of a supervisory programme for each regulated
institution on the basis of a risk assessment and greater and more
systematic use of on-site supervisory examinations.
It reduces the reliance of credit institutions on external credit ratings.
These proposals replaced CRD (2006/48/EC and 2006/49/EC) and entered into force
on 1 January 2014 with full implementation by 1 January 2019.
CRD4 also strengthens the capital requirements for counterparty credit-risk

exposures. The expanded scope of CRD4 raises challenges for intragroup liquidity
management, which will need to be applied in a consistent manner across a group.
6.2.4 Implementation of Basel III
In December 2010, the Committee released Basel III, which set higher levels for
capital requirements and introduced a new global liquidity framework. Committee
members agreed that they would implement Basel III from 1 January 2013,
subject to transitional and phasing-in arrangements. In November 2011, the
Committee published the rules text that sets out the framework for the assessment
methodology for global systemic importance and the magnitude of additional loss
absorbency that global systemically important banks (G-SIBs) should have. The
requirements were introduced on 1 January 2016 and become fully effective on
1 January 2019.
In 2012, the Basel Committee started the Regulatory Consistency Assessment

Programme (RCAP) to monitor progress in introducing regulations, assess their
consistency and analyse regulatory outcomes. As part of this programme, the
Committee periodically assesses the adoption status of the risk-based capital
requirements, the requirements for global and domestic systemically important
banks, the Liquidity Coverage Ratio (LCR) and the leverage ratio by the Committee’s
member jurisdictions. In July 2013 the Financial Stability Institute of the Bank for
International Settlements published the results of its survey on Basel III’s adoption
status among jurisdictions that are not members of the Committee.
165
To enable their timely implementation, national jurisdictions agreed that from 1

January 2014 onwards they would implement the official regulations/legislations
that establish the reporting and disclosure requirements.
In January 2013, the Basel Committee issued the full text of the revised Liquidity
Coverage Ratio (LCR). The LCR underpins the short-term resilience of a bank’s
liquidity risk profile. As discussed in section 6.2.3 above, the LCR was introduced as
planned on 1 January 2015 and will be subject to a transitional arrangement before
reaching full implementation on 1 January 2019.
In January 2014, the Basel Committee issued the final text of the Basel III leverage
ratio framework and disclosure requirements following endorsement by its
governing body, the Group of Central Bank Governors and Heads of Supervision
(GHOS). Implementation of the leverage ratio requirements has begun with bank-
level reporting to national supervisors of the leverage ratio and its components,
and public disclosure began with effect from 1 January 2015.
In January 2014, the Basel Committee issued proposed revisions to the Basel
framework's Net Stable Funding Ratio (NSFR). In line with the timeline specified
in the 2010 publication of the liquidity risk framework, it remains the Committee’s
intention that the NSFR, including any revisions, will become a minimum standard
by 1 January 2018.
There are six-monthly updates each April and October, and these give progress
reports on each jurisdiction’s implementation of all elements of Basel III. These can
be found at: http://www.bis.org/publ/bcbs281.htm
6.2.5 Impacts of Basel III
Gaining universal acceptance of the new proposals has proved challenging, for as
Mervyn King, when Governor of the Bank of England, suggested in a speech to a
New York audience in the autumn of 2009, the amount of capital that would be
needed to provide reasonable assurance against another major systemic problem
would be regarded by the industry as ‘wildly excessive’.
Another major concern is that by increasing capital requirements, business will

migrate again to the more lightly regulated, or non-regulated, intermediaries (the
so-called ‘shadow bank’ sector). It will be the responsibility of the new systemic
regulators, such as the Financial Policy Committee in the UK, the European
Systemic Risk Board and the American Financial Stability Oversight Council, to
identify where and when risks are building up in these organisations.
As implied above in section 6.2.3, implementing Basel III consistently is not

straightforward. This is best illustrated by the response to President Obama’s
announcement in January 2010 that he intended to ask the US Congress to
legislate to separate commercial banking from in-house hedge funds, private
equity and proprietary trading (the ‘Volcker Rule’). This was perceived in some
quarters as sabotaging the Basel process and the generally held view that any
changes in banking regulation should be considered collectively (i.e. on an
international basis).
166
The G20 heads of government meeting in Washington in November 2008 had

urged the Basel Committee on Banking Supervision to take the lead in formulating
a regulatory response to the financial crisis. Membership was increased from 12
countries to 27 and a 12-month deadline was set for the Committee to put forward
solutions. Many changes have been made to the original proposals, which were
part of the Dodd–Frank financial reforms in the US (see Unit 4, section 4.3.1).
Initial fears that the Basel Committee was effectively ‘by-passed’ (meaning that
a genuinely international response to the crisis would not be possible) have not
materialised. Compliance with the Volcker rule has been required since July 2014,
despite its dilution from its initial proposed form.
At best, it is likely that some compromises will have to be made along the way.
The Committee is well used to this but its ability to achieve agreement with
a greatly expanded membership will make the task even harder, especially as
there will be a greater disparity in maturity of the regulatory systems across the
jurisdictions represented.
6.3 The impact of the global financial crisis
In this section we will look at changes in regulatory focus, senior management

responsibilities, and the reports published in the aftermath of the crisis (all
these reports being attempts to explain what had happened and how to stop it
happening again).
We have already looked at the financial crisis timeline in Unit 1 section 1.2: here we
will develop this by identifying how it changed regulations and their focus, where
senior management responsibilities have been emphasised, and therefore the
impacts this has on the roles and responsibilities of the Compliance function.
6.3.1 Risk management and governance – the Turner Review in the UK
In 2009, the Turner Review was issued in the UK. The report and the subsequent
discussion paper from the regulator at that time, the FSA, was a useful contribution
to the volume of literature on the causes of the banking crisis. Moreover, these
documents provided a very clear indication of the regulator’s thinking as to how
UK, EU and International financial services regulation should change in future. Lord
Turner pointed out that:
While some of the problems could not be identified at firm-specific level, and while
some well-run banks were affected by systemic developments over which they had no
influence, there were also many cases where internal risk management was ineffective
and where boards failed adequately to identify and constrain excessive risk taking.
The importance of achieving high standards of risk management and governance

in all banks was stressed. Lord Turner also questioned whether the governance
arrangements appropriate for banks should differ from those applicable to
companies in general and whether additional codes and rules are required over
and above those already embodied in the UK Financial Reporting Council’s
Corporate Governance Combined Code.
167
Some analysts66 commented that the Turner Report did not address the
following points:
the socio-technical nature of crises and the fundamental importance of

people (usually directors/senior management), organisational structure and
culture in explaining why they occur
the presumption that markets behaved irrationally or that shareholders
could ever have been relied on to provide appropriate market discipline
the role of financial regulation as a key cause of the crisis
a challenge to the belief that ever-greater Pillar 1 capital requirements
are required
the danger of ‘knee jerk’ reactions by policymakers and regulators and
notably their apparent desire to replace market forces and make financial
services regulation more rather than less prescriptive
the questionable notion that any bank is ‘too big’ or ‘too important’ to fail.
6.3.2 Regulation and monitoring
The Turner Review emphasised that:
Authorities should have the power to gather information on unregulated financial

institutions such as hedge funds to allow assessment of overall system-wide risks; and
to extend prudential regulation of capital or impose other restrictions if any institution
develops bank-like features that threaten financial stability.
It went on to underline the need for the regulators in general to change their
approach to supervision and regulation of the banks. Furthermore, the review
argued that completion of implementation of the FSA’s Supervisory Enhancement
Programme (SEP) was an integral part of this process. The programme required:
increased resources devoted to high-impact firms and in particular to large,

complex banks
focus on business models, strategies, risks and outcomes, rather than
primarily on systems and processes
focus on technical skills as well as on the honesty and decency of
Approved Persons
increased analysis of sectors and comparative analysis of firm performance
investment in specialist prudential skills
more intensive information requirements on key risks such as liquidity
focus on remuneration policies.
Looking beyond the UK, Turner urged closer cooperation between central banks
and regulators across the globe and advocated increased cross-border supervision.
The review also suggested that there should be a European banking regulator to
supervise pan-European banks.
66. Financial Services Research Forum, http://www.nottingham.ac.uk/business/businesscentres/

crbfs/documents/researchreports/paper61.pdf.
168
6.3.3 Hedge funds
Serious concerns were expressed about what Turner referred to as the ‘shadow
banking’ industry. He recommended that this should in future be subject to the
same regulatory requirements as the rest of the financial services sector.
6.3.4 Credit rating agencies
Turner recommended that credit rating agencies should have to be registered. This
would enable them to be supervised by the regulator. The review also supported
EU legislation to address issues relating to the agencies’ governance and conduct.
One particular area of concern relates to conflict of interest, where agencies had in
the past provided good ratings even though it was evident that the risk levels were
high. An example of this is the favourable ratings given to Icelandic banks such
as Landsbanki.
6.3.5 Bonuses and remuneration
Turner expressed a desire to clamp down on excessive remuneration packages,

which encouraged unreasonable risk-taking by bankers and City traders. Two
aspects received particular attention: packages should be designed in such a way
as to reward those who achieve long-term profits, rather than apparent short-term
gains that might turn into losses in the long term, and bonuses should be paid in
shares with a claw-back provision, rather than cash.
6.3.6 Mortgages
Turner proposed a limit on the amount lent in the UK for property transactions. This
could be linked either to the value of the property being purchased or applied as a
multiple of earnings. Under new rules introduced by the FSA, homeowners would
have to provide a larger deposit from their own resources. In practice, lenders’
appetite for high loan-to-value mortgages had already disappeared by this time, so
larger deposits were already being required.
Turner acknowledged that this would have an impact on first-time buyers and
therefore accepted that it would be sensible for the proposals to be debated
in detail with the mortgage providers and other interested parties, rather than
to rush ahead with any regulation. Account would also need to be taken of the
contemporary low activity in the property market.
6.3.7 Reactions to the Turner Review
As expected, the Turner Review attracted considerable attention. The proposals

it contained generally received a favourable response, although there were some
dissenting voices.
Angela Knight, Chief Executive of the British Bankers’ Association (BBA),

commented that:
The Turner Review and its proposals for a reform are extremely wide-ranging and
place the FSA at the forefront of the international agenda on strengthening the global
169
financial system, bringing long-term stability, making appropriate changes and

co-ordinated action.
The key to getting this right is the interaction of capital, of liquidity and of managing
risk effectively. As always, the detailed discussions which will flow from this report are
going to be vital as we need to ensure that the new framework is appropriate for small
banks as well as the larger institutions and that the UK retains its attractiveness for
foreign banks.
Richard Saunders, Chief Executive of the Investment Management Association,

commented that:
The Turner review sets out a clear roadmap for future reform of the system. We need
banks which are simpler, more transparent and once again capable of attracting
private capital.
John Cridland, Deputy Director-General of the Confederation of British Industry

(CBI), agreed that Lord Turner:
...has come up with targeted proposals that deal with specific failings and risk to the
system as a whole, rather than responding to the wilder calls for action against banks.
His dispassionate, forensic approach has much to recommend it. A rush to legislation
risked a repeat of a Sarbanes–Oxley type over-reaction, which would simply have
compounded the effects of the recession.
Nonetheless, he also expressed some reservations:
[the CBI is] cautious about the review’s proposals on liquidity and product regulation.
Rushing ahead with requirements for bank liquidity could put the UK out of step with
other countries and force firms to manage their reserves on a country-by-country basis,
which would be a blow to the UK’s competitiveness.
7. Recent developments in the role of the

Compliance Officer
7.1 How the role has changed significantly
7.1.1 Evolution and focus
As explored in Unit 2, section 7.1.3, in order to demonstrate effective GRC in a

firm, ethical behaviour and standards must flow from the top down.  The board
of directors and senior management should demonstrate their commitment to
high standards of compliance and ethics, through both actions and words. They
should communicate to all employees their expectation that everyone (including
themselves) will comply with laws, rules and internal standards when conducting
business. The Compliance function should support and influence management
in building a robust compliance culture based on ethical standards of behaviour,
which themselves contribute to effective corporate governance.
170
Compliance starts at the top. It will be most effective in a corporate culture that
emphasises standards of honesty and integrity and in which the board of directors and
senior management lead by example.67
Read the guidance Compliance and the Compliance Function in Banks published
by the Basel Committee on Banking Supervision in April 2005. What message does
the paper convey? How does this compare with the situation in your firm? Are you
surprised that it was written as far back as 2005?
The Compliance function is managed by the Compliance Officer, but all compliance
professionals (compliance managers, compliance analysts, etc.) have key
responsibilities, required knowledge and skill sets, which are set out below.
7.1.2 The GRC context
The general responsibility of the Compliance Officer is to provide an in-house

compliance service that effectively supports business areas in their duty to comply
with relevant laws, regulations and internal procedures. The specific responsibilities
of a Compliance Officer depend upon a number of factors, including the particular
industry sector, the size of the business, the nature and complexity of its activities,
its resources, and the attitude of the organisation to the Compliance function and
the issue of compliance generally.
In the financial services sector the position of Compliance Officer requires specific
authorisation from the regulator. Anyone wishing to perform this role must go
through the proper application process and is subject the Fit and Proper rules.
It also means that such persons are personally responsible for any regulatory
sanctions if they do not perform their role to the appropriate standards.
In January 2012, a UK Compliance Officer, Alexander Ten-Holter of Greenlight

Capital (UK), LLP was fined £130,000 for failing to question and make reasonable
enquiries before Greenlight sold shares in Punch Taverns plc ahead of an
anticipated significant equity fund raising by Punch Taverns plc in 2009. He was
also prohibited from performing the Compliance Oversight and Money Laundering
Reporting functions.68
Typically, a Compliance Officer‘s specific responsibilities include the following.
To provide guidance on the proper application and interpretation of laws,

regulations and policies applicable to the firm. Such regulation may include
rules, guidance documents, codes of conduct and internal policies designed
to achieve regulatory compliance.
To provide managers with guidance in the development, implementation
and maintenance of robust policies, procedures and practices for
regulated activities.
To create a programme of activities to educate and encourage both
managers and staff to operate in compliance with relevant laws and
regulations. This should include providing training on key compliance
and regulatory matters such as complaints, money laundering, conflicts of
interest and personal account dealing.
67. Basel Committee – Compliance and the Compliance Function in Banks, April 2005.
68. Final Notice – Greenlight Capital (UK) LLP http://www.fsa.gov.uk/library/communication/
pr/2012/007.shtml.
171
To implement and maintain a compliance-monitoring programme to

provide management with assurance that key regulatory risks are being
adequately managed within the business areas. Aside from being a
regulatory necessity in most jurisdictions, monitoring is invaluable in
helping to identify risks and detect breaches in controls and procedures.
To set policies and procedures and propose improvements in the event that
the monitoring programme identifies weaknesses.
To provide regular and accurate reports to management (and where
necessary to the board of directors) on regulatory and compliance
matters. This should include the raising of significant issues, concerns or
regulatory breaches.
To coordinate and assist other control and risk functions in order to
comprehensively identify, assess and manage regulatory risk.
To support senior management in establishing and maintaining good
relationships with the regulators. This includes acting as the main point of
contact between the institution and the relevant regulators.
To assist in the development of an effective internal compliance culture by
promoting the benefits of ethical business conduct.
To maintain relationships with regulators, including the coordination of
responses to consultative papers or other regulatory pronouncements.
To contribute to, and attend meetings of, industry or trade bodies of which
the firm is a member.
It is clear that the role is no longer a standalone assurance activity. Compliance is

at the heart of GRC, and the Compliance Officer has a pivotal role to play in helping
the board and senior management to develop and instil the required cultural
and ethical standards that are needed to help a firm to be successful in today’s
regulated environment.
7.2 Key technical knowledge and skills needed now
7.2.1 Role-related knowledge
The Compliance Officer must have sound regulatory knowledge covering a variety
of topics. While specialist team members may retain the more detailed knowledge
of the rules, the Compliance Officer must still hold a sound understanding of the
objectives, principles and management of compliance. This is not only important
for maintaining personal credibility but also enables the Compliance Officer to
apply such knowledge to more strategic decision making.
As a minimum, the Compliance Officer must have an understanding of the

following topics:
corporate governance and legal entity structure

regulatory risk framework
the firm’s registrations with the regulatory authorities
anti money laundering and fraud prevention techniques
rules and regulations for providing investment services
rules and regulations for keeping clients’ money and assets safe
rules and regulations for keeping clients informed
key conduct risks for the firm
172
rules and regulations for resolving customer complaints

rules and regulations to ensure that the product or service is appropriate for
the client
relevant marketing and financial promotion rules in local and relevant
overseas jurisdictions
products and services provided by the firm
client documentation and fee schedules
strategic plans for the firm
key policies and procedures at the firm
systems in place to service the firm‘s business
management information and statistics
recent audit and regulatory reports
areas identified as problematic, and emerging issues.
Knowledge of the laws and regulations is not in itself sufficient. Compliance

Officers also need to be able to apply knowledge effectively in the context of their
own firm. Hence, a sound knowledge and understanding of the business in which a
Compliance Officer works is fundamental. Compliance professionals cannot operate
(or be seen to operate) in isolation from the rest of the business.
Sound business acumen will not only enable them to apply regulatory
requirements appropriately, but will also enhance their credibility with colleagues
in other parts of the company.
This is especially important in a principles-based and outcomes-focused regulatory

environment, where the regulatory regime requires a focus on the ‘bigger picture’,
looking beyond the rules to identify the spirit in which they were written and the
intention behind them. It is how you comply that is most important.
7.2.2 Analytical, investigative and research skills
Compliance Officers must have the ability to analyse and interpret data gathered
for a number of purposes, for example when undertaking compliance reviews
and monitoring activities. This is key to being able to quantify the level of
regulatory and compliance risk to which the business is exposed and to assist in
implementing improvements.
The Compliance Officer must also have good investigative (including questioning)
skills, for example when dealing with customer complaints or with a regulatory
review or investigation. These skills are usually called upon when something has
gone wrong.
The ability to conduct appropriate research is important since an understanding

of the broader regulatory or business perspective is the best way of ensuring that
appropriate advice is provided.
7.2.3 Business awareness and pragmatism
These two skills complement each other. Again, they have a material impact on the
credibility of the Compliance Officer and level of respect, and therefore acceptance,
at a senior management level. Compliance Officers must be able to demonstrate
173
a good understanding of the market and business in which they operate in order
to exercise good judgement as to the best way to achieve compliance. Failure to
do this may result in the development of impractical solutions. It is also imperative
that the Compliance Officer appreciates, and is sympathetic to, the commercial
pressures faced by the business.
While it is important to remain independent, a Compliance Officer who has

no real engagement with the business, or who simply quotes from rulebooks
without explaining the regulations in a business context, will add little value to the
company as a whole. If Compliance Officers are seen to operate in isolation they
will often find themselves bypassed, or consulted only at the very last minute. This
means that they have missed the opportunity to influence the outcome.
The Compliance Officer must be able to make pragmatic and balanced

recommendations, enabling the firm to achieve regulatory compliance in a way
which helps to achieve the firm’s strategic objectives. Compliance Officers must
remember that compliance is not an end in itself; it is the positive outcome for
customers and other stakeholders that is key, and this contributes to ensuring the
continuing viability of the firm.
It is the Compliance Officer’s role to advise senior management on how the firm
can safely recommend and market products, and balance compliance with the
commercial pressures it is facing. To do this effectively the Compliance Officer must
understand the business structure and its operations, the type of client to whom
any new product will be sold, and the business’ risk appetites, to enable them to
provide suggestions for a practical solution.
7.2.4 Presentation and training skills
Having the technical ability to produce and present compliance in an interesting

and engaging way that relates to the firm‘s business activities will give the
Compliance Officer credibility within the firm, and assist in developing the
GRC culture.
If a policy is sent out with no explanation of how to implement it, it could easily
be ignored and cause the compliance team and the firm issues at a later date.
7.3 Key personal skills and qualities needed now
7.3.1 Listening skills
The ability to listen to the needs of the business is vital. Too often, compliance
policies are implemented in isolation, without input from the people who are most
affected and therefore without addressing any objections or concerns.
We have already discussed the ‘tone from the top’ but it is equally important to
engage staff at middle management level as it is they who will have the closest
day-to-day relationship with the operations of the business, such as traders,
advisers, brokers, etc. The aim of a Compliance Officer is to facilitate the ethical
culture through the organisational chain. Keeping an ear to the ground can be one
of the best ways to get a feel for how the business operates and how its culture is
174
working in practice. Engaging and supporting the line managers and listening to
the practical issues they face can assist the Compliance Officer in tailoring advice
appropriately and offering effective and pragmatic solutions.
This level of engagement between operational staff, their line management

and the Compliance function should ensure that they come to the Compliance
Officer the next time they encounter a compliance issue rather than ignoring or
mishandling the problem.
A good listener tries to avoid dominating dialogue with colleagues. The more
closely a Compliance Officer listens, the more information is absorbed and, indeed,
the more information colleagues may offer. This allows the Compliance Officer the
opportunity to provide focused and relevant advice and guidance through better
understanding of the issues and the objectives/agenda of the speaker.
7.3.2 Communication skills
In order to exert positive influence, a Compliance Officer must have strong

interpersonal skills and exceptional oral and written communication skills. In order
to help the firm meet its regulatory obligations, the Compliance Officer must be
able to provide regulatory information to all levels of staff in a way that is clear,
concise and not open to misinterpretation. It is particularly important that the
Compliance Officer is able to translate ‘regulatory speak’ into language that is
meaningful for those working in the business.
A Compliance Officer may have to provide the regulator with information or

notify senior management and the regulators of significant issues as they arise.
Poor-quality communications could have a negative impact on the way the
business receives the messages. This in turn can have consequences for the level
of compliance achieved and could also adversely affect the credibility of the
Compliance Officer.
Verbal communications
Verbal communications are part of everyday interactions with colleagues and

contacts. A Compliance Officer is required to communicate verbally both with
groups and on a one-to-one basis. In either case, the Compliance Officer must
have the ability and confidence to present messages clearly, succinctly and
effectively. Compliance Officers can often find themselves having to discuss control
weaknesses with colleagues. It is vital they can do this clearly and constructively,
ensuring that the message is received and understood, and will result in positive
action being taken. Consequently it is important that the correct tone is used to
ensure that the message is not dismissed by the audience and does not detract
from the seriousness of what the Compliance Officer has to convey.
When engaging with others, Compliance Officers may find themselves having
to draw on all their communication skills to ensure that the desired outcome is
achieved. How the message is conveyed is often as important as what is actually said.
175
Written communications
Written communications can form much of the Compliance Officer’s day-to-day

work. Guidance documents, procedures, letters, file notes and responses to audit or
regulatory reports are just some examples of the types of written communication
that a Compliance Officer will need to be able to produce.
These communications may be directed at colleagues of all levels within a business,

many of whom will have little or no appreciation of complex compliance issues. The
ability to communicate complex issues in a succinct manner and be understood by
all staff is important.
It is equally important to be able to tailor messages to the audience in question.

The audience for many written compliance communications is the board or senior
management. Here, it is vital that high-quality outputs are well produced, and
contain relevant, easy-to-interpret information. Significant messages can easily be
lost or misconstrued in poorly presented documents.
7.3.3 Influence
Compliance Officers need to be able to take their place alongside the most
senior managers in any firm. Whether or not they have a direct reporting line
into the board, they must have access to it. They need to be able to exert influence
at this level and to be taken seriously as business partners. One of the most
important skills required of Compliance Officers is the ability to operate at this level
and hold the respect of their peers, such that they are able to contribute positively
to the organisation’s strategy and key decision making. This level of influence is
vital if Compliance Officers are to be successful in their role and embed a culture of
compliance within the company.
In the course of assessing the governance and culture of a firm, regulators will
often look at how the Compliance Officer is perceived in order to seek reassurance
that the individual has the necessary respect to carry out the role effectively.
Consider this example. Following a spell of poor performance following slow

recovery from the recession, your firm wishes to market and sell unregulated
collective investment schemes (UCIS) to boost sales and attract new customers
to the business. This is a new business area and senior management and advisers
have no prior knowledge of these products. In the course of your research you
realise that marketing these products to retail clients is restricted and they cannot
be promoted to the general public. The regulator’s view is that these are generally
high-risk products, only suitable for sophisticated investors. You believe that your
firm would be exposing itself to unnecessary risk by getting involved in this activity.
Your role here is to influence the business’s final decision by demonstrating the
advantages and disadvantages and alerting them to potential future issues such
as customer complaints. It is also your role to inform the business when it is not
permitted to market or sell these products.
176
7.3.4 Negotiation skills
While pragmatism is vital, there are occasions when a Compliance Officer has to
make regulatory recommendations or provide advice to business lines that may
conflict with accepted business practices or be seen as obstructive by the firm. For
example, the implementation of compliance report recommendations often places
additional burdens on managers to comply within tight timescales.
Consequently, there could be some resistance to recommendations. In these

situations, a Compliance Officer will require good negotiation skills, and resilience,
to help managers make sound commercial and regulatory decisions without
unduly burdening operating units. If the Compliance Officer has a reputation for
pragmatism, this often makes such situations easier to handle; the managers will
appreciate that the Compliance Officer will only take such a position where there
is little option and they will therefore be more willing to accept such advice.
7.3.5 Management skills
The level of seniority of the Compliance Officer within an organisation

will determine the nature of the management skills that are required. The
Compliance Officer may be required to undertake one or all of the following:
manage relationships with other compliance staff

manage relationships with other internal and external persons
or organisations
manage specific compliance-related projects
manage or chair compliance-related forums or committees.
A Compliance Officer must therefore have the ability to manage people, projects
and significant meetings involving individuals at all levels.
7.4 Which skill is the most important?
This is a very subjective matter. A successful compliance professional needs the

technical knowledge and skills, but these can be learned over time. On the other
hand, can the personal skills and qualities be learned as easily? It is possible to
argue that these are part of an individual’s personal characteristics, so may be
difficult to change. However, training and guidance can be provided to help to
develop these personal skills.
This suggests that during recruitment it is perhaps the personal skills that
should be given priority. Nonetheless, it is fairer to say that in the overall context
of the full requirements of the role, they may all be of equal importance.
177
Learning outcomes
By the end of this unit you should:
be aware of the different forms of training and the stages of the training
process, and understand your responsibility for maintaining employees’
core competence in meeting regulatory requirements
be aware of the difference between ‘hard’ and ‘soft’ skills and the
importance of both
appreciate the importance, for achieving compliance objectives, of
thoroughly understanding the work and objectives of all the firm’s
business units
know the responsibilities of a Compliance Officer for advising other
business units, both on a planned and ad hoc basis, on regulatory and
compliance matters
appreciate the importance of monitoring business activities and be able
to advise business units on how to go about this
know what and when to report to the board so that the directors can
fulfil their responsibilities for ensuring regulatory compliance
be able to identify the key relationships, both internal and external, in
the Compliance Officer’s work, understand the importance of each
for carrying out the role effectively and know how to develop and
maintain them
be able to explain the significance of conduct of business regulation,
and how to meet the objectives of protecting investors, maintaining
public confidence in the financial system and preserving market stability
be able to explain the Compliance Officer’s role in helping the business
to comply macro-prudential and micro-prudential regulation
understand the close relationship between prudential regulation and
corporate governance, and the role of the ‘fit and proper’ requirements
for the firm and its employees
be able to outline how and why the various Basel Accords have been
developed, what their aims have been and the effects that these and
CRD4 have had
understand the role of the modern Compliance Officer in the GRC context,
and the wide range of skills, technical knowledge and personal qualities
necessary to perform the role effectively.
178

I1273818 - International Diploma in GRC - Unit 5

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

I1273818 - International Diploma in GRC - Unit 5

Uploaded by

Copyright:

Available Formats

SEE GREEN SECTION

What is the Role of the

The purpose of this unit is to:

 examine the role of the Compliance function as a trainer, an educator and an

1.1 The Compliance function’s role in training

Sometimes an identified business risk is managed by providing the appropriate

Compliance training can also assist senior management in promoting and

It is important to note that in order for compliance training to be effective it

1.2 The stages of the training programme

For example, in Singapore, the Monetary Authority of Singapore (MAS) requires

In meeting regulatory training requirements, there are traditionally two common

Compliance training is generally a large investment of both time and money.

Primarily, the role of the Compliance function in training is to ensure that

1.2.1 Considering organisational training needs

The initial stage in developing a compliance training strategy is to consider the

A fundamental core competence for all employees is an awareness of the

1.2.2 Setting training objectives

1.2.3 Training provision

It may not always be possible for training to be conducted by members of the

Where the most appropriate individual to deliver a particular lesson or message is

1.2.4 Devising individual training plans

An assessment of training needs and solutions should be conducted at the

It is difficult to overstate the importance of ensuring that adequate training is given

1.2.5 Training evaluation

Training needs to be evaluated for its effectiveness in engendering enhanced

1.2.6 Continuous professional development

Consideration ought also to be given to future development. A strategy should be

1.3 The Compliance function’s role in education

1.3.1 Technical education

1.3.2 Skills and behaviours education

Because compliance is more than just a comprehensive knowledge of technical

It is possible to argue that this type of education is as important as the technical

Remuneration is discussed in Unit 8, section 6.

2.1.1 The purpose of advisory activities

In addition, advice from the Compliance function can lead to competitive

2.1.2 Horizon scanning and regulatory analysis

Horizon scanning involves maintaining knowledge of regulations and any

2.2 Ad hoc advice

2.2.1 The need for business awareness

Merely having a comprehensive knowledge of regulation is not sufficient to

2.2.2 Impact analysis

One area where Compliance function representation is essential is in involvement

As with other risk-management activities, this has to be a continuous process,

3.1.1 The critical importance of monitoring

Consider the following example.

 an internal investigation into the cause

3.1.2 Identifying compliance risks

Quantifying risk is a difficult and time-consuming exercise. Often individuals have

Example: Risk acceptance

A common risk businesses face is that a competitor launches a similar product

Self-assessment can be conducted in various ways, such as a review of risk logs,

In conducting successful self-assessment exercises, the Compliance function

Industry best practice and international initiatives provide an important benchmark

3.1.4 Reporting requirements

An effective compliance framework must provide for appropriate and timely

It is important that all staff understand how to report or escalate a compliance

3.2 Management information (MI)

to enable matters to be raised at an early stage) and capable of allowing senior

For MI to be useful and pivotal in the management of compliance risk, it needs to

A good example would be MI that measures conduct risk outcomes in product

3.2.3 The audience for the MI

For MI to be assessed by the correct decision-making body, it has to be relevant

There should be regular communication with a number of individuals and

examine the role of the Compliance function as a trainer, an educator and an

an internal investigation into the cause

senior management (including executive and non-executive directors)

regulators – depending on the regulatory structure in the jurisdiction, this

It establishes a primary working relationship with suitably experienced

the level of support provided

how customers are able to make complaints

a reasoned rejection of the complaint, or

line management or supervisors, because they have day to day

The reduced cost of regulatory enforcement actions and the costs

a conflicts of Interest policy

banks and investment firms must adhere to standards implemented