Financial Services Compliance Unit 3

Bangor Business School
About this study guide

The information contained in this Study Guide is for educational
purposes only, and may not apply to your situation. Whilst every
effort has been made to ensure the accuracy of the information
supplied herein, The Management Centre cannot be held responsible
for any errors or omissions. Unless otherwise indicated, opinions
expressed herein are those of the author of the Study Guide and do
not necessarily represent the corporate views of The Management
Centre. Information provided is subjective; please keep this in mind
when reviewing this study guide
Neither The Management Centre nor the author shall be liable for
any loss of profit or any other commercial damages resulting from
‘Important Disclaimer use of this study guide. Any links, quotes etc are for information
By reading this study guide, the purposes only and are not warranted for content, accuracy or any
readings supplied with it and using any other implied or explicit purpose.
software provided you acknowledge
We regret that the authors are unable to enter directly into any
that this is an educational product
correspondence relating to, or arising from this Study Guide. Any
leading towards an MBA. You should
comments on this work would be welcome and should be
not construe anything contained in this
addressed to:
study guide, the readings supplied, the
presenter’s comments or through use
The Chartered Banker MBA Office
of the software supplied as investment
The Management Centre
or other professional advice. This
study guide is not a substitute for
Bangor University
professional advice which takes
College Road
account of your specific circumstances.
Bangor
No responsibility can be accepted by
Gwynedd LL57 2DG
Bangor University or the author or the
presenter for any loss occasioned by
any person acting or refraining from
acting on the basis of any information
contained in this study guide. You
make fair use of any material contained
in this study guide, the associated
readings and the software supplied for
the purpose of education. The written
consent of the university should be
obtained for any commercial use of
the materials supplied to you as part
of this module. Nothing here should
be construed as criticism express or
implied of the organisations discussed
in the study guide, their management
or their employees.
No part of this study guide may be
reproduced, stored or introduced into
a retrieval system, or transmitted in
any form or by any means (electronic,
mechanical, photocopying, recording
or otherwise) without the prior written
permission of the University’.
Financial Services Compliance Unit 3

Chartered Banker MBA
Notes
Personal Profile:
Sharon Ward MSc FICA Fellow CEA
Member of Bangor University
Adjunct Faculty
A former senior compliance practitioner in the UK, highly qualified
and with extensive practical business experience across a number of
financial services disciplines, Sharon is Chief Examiner for Governance,
Risk & Compliance (GRC) at the International Compliance Association
(ICA) and a regular tutor/contributing author for International
Compliance Training’s (ICT) professional education programmes.
A regulatory compliance specialist, Sharon is also involved in a number
of compliance related projects, including working with the Journal
of Business Compliance, where she was an Editor and Member of the
Editorial Board. She lectures on a wide range of GRC related topics, has
contributed to key industry initiatives and is the author/contributing
author of a number of professional education texts. A Fellow of the
ICA, Sharon is also a qualified Chartered Educational Assessor. She
holds an MSc in Financial Regulation & Compliance Management and
is currently undertaking further studies in related areas.

Contents
Unit 3 – Integrated compliance 1
Aims 1
Learning Objectives 1
1.0 The Changing Regulatory Compliance Environment 1
2.0 Building an effective compliance culture 10

2.1 Why compliance culture is important 11
2.2 Moving beyond compliance 11
2.3 Accountability and Responsibility 11
3.0 Developing the Culture of Compliance 14

3.1 Interrelationship of assurance functions 14
3.2 Relationship Development 16
3.2.1 Internal Relationships 16
3.2.2 External Relationships 19
3.2.3 When Things Go Wrong 19
3.3 Hurdles to Effectiveness 20
3.4 The link between Compliance, Integrity and Ethics 22
4.0 The value of an effective Compliance Function 25

4.1 Business benefits 25
4.2 Benefits beyond individual firms 28
4.3 Harnessing the benefits of integrated compliance 29
4.4 The overall benefits of both compliance and Compliance 29
Answers to Self Evaluation Questions 31
Bibliography/Reference 35

Notes Unit 3 – Integrated compliance

Aims
This Unit explore the benefits of integrated regulatory compliance, where the
culture of the operational environment is such that the approach has moved
beyond compliance as a specific area of focus. The benefits arising from this
integrated approach – to regulated firms, individuals working within them and to
the broader business environment – are explored, with consideration of how these
can be more effectively harnessed.
Learning Objectives
On completing this unit you will:
• Be aware of current and emerging factors within the regulatory compliance
environment that are impacting on the activities, focus and approach of the
Compliance Function
• Appreciate what a compliance culture is, why it is necessary and the role of
those involved in its creation and development
• Distinguish between different assurance, control and oversight functions and
understand their role in supporting the activities of the Compliance Function
• Appreciate how compliance, risk management, corporate governance and
ethics work as interrelated disciplines to support the ongoing development of
the compliance culture
• Identify and understand the significant benefits that effective regulatory
compliance can bring to regulated firms and to the wider industry.
1.0 The changing regulatory compliance

environment
In order to be effective the range of activities carried out by the Compliance
Function and the weighting given to some or all of these in terms of priority and
resourcing as discussed in Unit 2, will vary on an ongoing basis. This is largely as
a consequence of the ever changing regulatory and operational environment
that acts as a backdrop to the role. It is therefore crucial, if the function is to be
effective in pursuit of its objectives, that it maintains an up-to-date awareness of in
these areas. The Function should regularly ‘horizon scan’ to maintain awareness of
topics/issues that are emerging with potential to impact the firm and the efficacy
of its compliance approach overall, then adjust the approach accordingly where
relevant. It should seek to incorporate such developments into the compliance
framework in respect of the various educational, monitoring, reporting activities
and so on that take place.
1 Financial Services Compliance Unit 3 0419

In addition to material available via regulators websites and those of the influential Notes
bodies or industry publishers introduced and referred to throughout this Module
thus far, there is also a good deal of research being carried out by academics on a
host of related topics. Depending on the area of interest, such research considers
different elements of the financial services and regulatory environment, either
directly or indirectly, addressing issues that impact the priorities/roles of the
different stakeholders within it, including compliance. It is useful to maintain an
awareness of the output of such research, through reference to the websites of the
Professional Bodies for Compliance such as that of the International Compliance
Association for example, which provide access to a wide range of such material, or
to a professional journal in a related area such as the Journal of Financial Regulation
and Compliance1. It can also be useful to note other quality research journals or
websites providing details of research undertaken – these can be specific to related
topic areas such as those for law, risk, economics or policy, for example, or perhaps
more general in their spread and thus enabling identification of a wide range of
relevant research topic areas - the LSE Research Online website2 is particularly
useful in this regard. Such material provides an indication of current research and
commentary in a wealth of related issues from a range of academics working and
publishing in this area and will support the more practitioner led and industry
derived content that is largely the basis of this Module.
Examples of current and emerging topics relevant to the Compliance field are
set out below, demonstrating the wide ranging nature of influencing factors.
Their relevance for different aspects of the Compliance Framework as discussed
in the previous Unit should be contemplated as we move on to discussion of the
benefits of an integrated approach to compliance. These examples are presented
in no particular order; given the wide range of potential influencing factors these
are indicative only and it is incumbent upon the Compliance Function within any
individual organisation to identify those that apply to their particular firm:
• Technological developments – Ongoing developments in this area impact
on the regulatory environment to a significant degree, not only in respect of
the products and services arising therefrom but also the speed with which this
is happening. Change arising from this continues unabated and consequently,
developments in this area remain on the regulatory radar. Those tasked
with monitoring adherence to regulatory requirements within firms need to
be vigilant to potential challenges arising in this regard, ensuring systems
and approaches are sufficiently robust to meet these. Financial technology
(FinTech) activities are a useful example of technological developments being
harnessed to a positive purpose, helping to enable/support/enhance provision/
innovation of financial services. The Enabling the FinTech Transformation:
Revolution, Restoration or Reformation speech by Mark Carney, Governor of the
Bank of England, in June 2016 notes how new technology will be harnessed
in terms of challenges faced as a central bank. Regulators are clearly keen to
harness the benefits of technological development (RegTech3 – regulatory
technology – being a good example of this) not least to support monitoring
of activities, on the negative side the challenges arising from the continued
shifts in this area can leave regulation in danger of playing catch up and thus
widening opportunity for less effective regulation of the industry overall, with
resulting consequences of all stakeholders. Firms are particularly vulnerable
1 http://www.emeraldinsight.com/toc/jfrc/24/4
2 http://eprints.lse.ac.uk/
3 https://www.fca.org.uk/firms/project-innovate-innovation-hub/regtech

Notes to such developments being used by criminals, with financial crime being an
unfortunate growth area which the industry has to mitigate against with the
assistance of all stakeholders. In the UK, Project Innovate and the Innovate Hub
are examples of regulatory focus in this area, the regulators making clear4 their
interest: ‘how can regulation foster innovation in financial services?’ and make
the point with reference to the EY Fintech adoption index comment on the
‘pace at which the digital landscape is evolving and the scale of the challenge for
us as a regulator to bear in mind when we think about both the risks that financial
innovation may bring and how to balance that against creating unnecessary
barriers to the many opportunities.’ Innovation and technology appear in the
FCAs priorities for the year 2018/19 as per their Business Plan. Note also their
Cyber and Technology Resilience: Themes from cross-sector survey 2017-20185,
published in November 2018.
• Outsourcing – This activity generally involves the contracting out of a business
process to another party. Increasingly firms are opting to outsource aspects
of the Compliance Functions activities, either in whole or in part. A recent
survey6 noted that ‘a quarter of firms have opted to outsource at least part of their
Compliance Functionality. Two reasons cited are lack of in-house compliance skills
and the need for additional assurance on compliance processes.’ Other reasons
given were cost, board request, increase in litigation, need for technology
solutions, removal of administrative functions to enable compliance staff to
focus on regulatory requirements and workload management. Potential risks
arising from outsourcing are on the regulators radar, for example a National
Exam Program Risk Alert7 was published by the US Securities and Exchange
Commission’s Office of Compliance Inspections on this topic which noted ‘a
growing trend in the investment management industry: outsourcing compliance
activities to third parties, such as consultants or law firms’ and observed ‘certain
compliance weaknesses associated with registrants that outsourced their CCOs8, as
described in this Risk Alert‘, encouraging firms to evaluate their approaches. In the
UK, the FCA published guidance on this topic, for example the recent Guidance
for firms outsourcing to the ‘cloud’ and other third party IT servicescloud9. The PRA
also have clear expectations in respect of this topic and in 2015 fined Raphaels
Bank for Outsourcing failures10 stating ‘You can delegate or outsource work but you
cannot delegate or outsource responsibility. Raphaels put its safety and soundness at
risk by failing to have adequate controls in place over their outsourcing.’
• Whistleblowing – A contentious topic for many and a regulatory requirements
in many jurisdictions, debate continues around this subject. For example,
reference is made to this in the Credible Deterrence In The Enforcement of Securities
Regulation11 paper from IOSCO referred to in Unit 1, which states ‘Whistleblowers
are a useful source of information and intelligence. Reporting can be enhanced
4 In https://www.fca.org.uk/news/speeches/uk-fintech-regulating-innovation for
example
5 https://www.fca.org.uk/publication/research/technology-cyber-resilience-
questionnaire-cross-sector-report.pdf
6 Thomson Reuters Cost of Compliance 2016 – note https://www.refinitiv.com/en for
source material and current surveys
7 https://www.sec.gov/ocie/announcement/ocie-2015-risk-alert-cco-outsourcing.pdf
8 Chief Compliance Officers
9 https://www.fca.org.uk/publications/finalised-guidance/fg16-5-guidance-firms-
outsourcing-%E2%80%98cloud%E2%80%99-and-other-third-party-it
10 https://www.bankofengland.co.uk/news/2015/november/pra-fines-raphaels-bank-for-
outsourcing-failures
11 http://www.iosco.org/library/pubdocs/pdf/IOSCOPD490.pdf

when jurisdictions provide legal protection to whistleblowers to prevent them from Notes
being adversely impacted or prejudiced as a result of providing information.’ This
paper cites useful examples from the US, the EU and New Zealand, highlighting
the US decision to reward eligible individuals who come forward with high
quality information. In September 2016 the FCA began a consultation into
Whistleblowing in UK branches of overseas banks: CP16/2512 stating that
‘Individuals working for financial institutions may be reluctant to speak out about
bad practice for fear of suffering personally as a result. Mechanisms within firms
to encourage people to voice concerns – by, for example, offering confidentiality
to those speaking up – can reassure whistleblowers.’ This followed production in
2015 of the FCAs new rules on whistleblowing13 when it was commented that
‘Whistleblowers play an important role in exposing poor practice in firms and they
have in the past few years contributed intelligence crucial to action taken against
firms and individuals. It is in the interests of the industry and regulators alike that
wrongdoing is identified and addressed promptly. For individuals to have the
confidence to come forward, it is vital that firms have in place adequate policies
on dealing with whistleblowers and that a senior manager takes responsibility
for overseeing these policies…These rules are designed to build on and formalise
examples of good practice already found in parts of the financial services industry
and aim to encourage a culture in which individuals working in the industry feel
comfortable raising concerns and challenge poor practice and behaviour.”
• Data protection/security – Increasingly an area of concern for business,
with numerous data breaches being a regular feature of recent times, efforts
to address weaknesses in this area are an ongoing issue within the financial
services industry. Given the global nature of the industry and indeed worldwide
commerce, concerns are not restricted to national level, with some important
initiatives undertaken by international bodies. For example, IOSCO produced
Guidance on cyber resilience for financial market infrastructures14, which referenced
audits and compliance as an important elements of the markets cyber resilience
framework, requiring ongoing assessment and measurements to ensure its
effectiveness. In December 2015 BCBS produced a report Progress in adopting
the Principles for effective risk data aggregation and risk reporting15 covering a
range of topics including lessons learned around effective implementation
and their relevance for ensuring effective compliance management. National
regulators take these topics seriously, with clear direction provided in their rules
and guidance around what is expected of firms in this regard, such as that from
the UKs FCA.16
• Extraterritoriality – The extension of jurisdiction, to incorporate offences
committed outside a countries territory, extraterritoriality issues are
increasingly presenting challenges for international Compliance Officers. The
need to ensure compliance not only with the laws and regulations pertinent
to the home jurisdiction plus those of overseas subsidiaries, but also taking
into account extraterritorial laws of other countries and their consequences/
impact for both home and overseas subsidiaries, is increasingly challenging
and risk are increasing. There have been several fines imposed as consequence
of violations, for example in respect of the US Foreign Corrupt Practices Act
12 https://www.fca.org.uk/publications/consultation-papers/whistleblowing-uk-
branches-overseas-banks
13 https://www.fca.org.uk/news/press-releases/fca-introduces-new-rules-whistleblowing
14 http://www.iosco.org/library/pubdocs/pdf/IOSCOPD535.pdf
15 http://www.bis.org/bcbs/publ/d348.pdf
16 https://www.fca.org.uk/firms/financial-crime/data-security

Notes (FCPA) (such as Siemens $800 million in 2008, BAE $400 million in 2010, Total
SA, a French energy firm, $245 million in May 2013). OFAC sanctions are
another area of relevance for financial services business, with the possibility
of financial transaction prohibitions and freezing assets that fall under the
jurisdiction of the US.17 Again, numerous fines for contravention of these (for
example ING $619 million, Barclay $298 million, Credit Suisse AG $536 million
all in 2010). The impact of the UK Bribery Act 2010 has also been significant,
with implications for companies, boards and management; the 2016 case of
Sweett Group Plc18 provides useful insight into its wide application.
• Sanctions/Prohibitions – OFAC sanctions were referred to under
extraterritoriality issues, above, but maintaining awareness of sanctions
and prohibitions in place are a wider issue in and of themselves, linked to a
number of activities undertaken in respect of compliance with international
and national regulatory requirements. Ongoing awareness and appreciation
of business implications is required. An up-to-date awareness of countries and
individuals appearing on relevant lists, feeding this into the overall approach is
important on a number of levels, not least to protect the firm from regulatory
censure in one form or another. Note also the anti-bribery and corruption area
in which developments are ongoing; the UKs Bribery Act 2010 is particularly
notable given its extraterritorial reach. The work of Transparency International19
(TI) is useful to consider, with its focus on anti-corruption. Note particularly its
Transparency Index. Its People and Corruption: Europe and Central Asia 201620
published in November 2016 makes for illuminating reading.
• Cost of Compliance – Costs in respect of compliance have always been an
issue for this area of business, though increasingly the costs of non-compliance
have become better recognized. That said, balancing compliance costs against
corporate profitability is an ongoing consideration for all concerned, with both
regulators and regulators taking a keen interest in this. The previously mentioned
Cost of Compliance 2016 survey noted that the majority of regions expected that
compliance budgets would increase in the coming year, some by as much as
100%. The development of technology in support of compliance activities (the
aforementioned RegTech, for example) may go some way to alleviating this but
can be no substitute for effective personnel and the costs that arise therefrom.
Linked to the wider costs of compliance, findings the right individuals for
compliance roles is becoming increasingly challenging. Though reports indicate
the recent rocketing growth in roles in this area has levelled off somewhat,
vacancies remain in many key positions due to lack of availability of ‘high quality
compliance officers with deep experience’, as noted in the Cost of Compliance 201621,
which went on to say ‘there is a lack of good compliance skills in the market place,
which has driven up the costs of senior compliance professional in particular and
may in turn make it harder for firms (and indeed regulators) to keep hiring ever more
compliance staff’ Expectations are that costs in this area will continue to rise. A
17 https://www.treasury.gov/about/organizational-structure/offices/Pages/Office-of-
Foreign-Assets-Control.aspx
18 https://www.sfo.gov.uk/2016/02/19/sweett-group-plc-sentenced-and-ordered-to-pay-
2-3-million-after-bribery-act-conviction/
19 http://www.transparency.org/
20 http://www.transparency.org/whatwedo/publication/people_and_corruption_
europe_and_central_asia_2016
21 Thomson Reuters Cost of Compliance 2016, ibid. note also most recent report https://
legal.thomsonreuters.com/en/insights/articles/cost-of-compliance-2018-report-your-
biggest-challenges-revealed

recent compliance recruitment trend report22 commented on a fall in the number Notes
of vacancies compared to previous years, largely as a consequence of the wider
economic and business environment but also that ‘the three lines of defense model
is changing the background and experience of the type of candidates that companies
are prepared to consider.’ There is an increased emphasis on communication skills,
the ability to engage and have management skills, leading to those who have
these being increasingly in demand, the report noting that of those surveyed
‘71%...thought the value of their skills was increasing’.
• Focus on Outcomes – Increasingly, regulators are focusing on outcomes, i.e. the
output of an approach, rather than simply the input. In practical terms, this has
implications for any business subject to regulation by that regulator, as the shift in
approach extends beyond a mere tweaking or adjustment of business activity, to
a much more fundamental overhaul. That is because the focus is less on process
but on consequences of that process, which brings into play wider issues such as
corporate culture and, particularly relevant to our focus in this Module, changes
to the role of Compliance as a consequence. This will be discussed further in
this Unit. In the UK, regulators have issued commentary on what they mean
by an outcomes focused approach. For example, note the FCA Our Supervision
Overview23 speech which sets out a clear position on this, linking this to their
general approach: ‘Our approach…is to be a regulator that is judgement-based,
pre-emptive and pro-competitive and prepared to be tough when things go wrong.
This approach though is based on an outcomes-focused philosophy. I would like to
explain further what this means and in particular what I mean by outcome-focused.
Regulatory philosophy has coined various phrases such as ‘principles-based’,
as opposed to ‘rules-based’; ‘intrusive’ as opposed to ‘light touch’ and ‘credible
deterrence’ as opposed to the ‘Governor’s eyebrows’. These may seem like variations
on a theme but they do in reality encapsulate quite different approaches and this is
true for an outcome-focused approach. What it means is that we are fundamentally
interested in what consumers actually experience as outcomes and then try to fix the
causes of what is leading to outcomes that are not, or may in the future may not be,
fair…This means at the firm level, particularly for the large firms that have the biggest
consumer and market footprint, we are looking at how the interests of the customer
and market integrity are at the heart of how their business is run – this means our
focus is on the firm’s business model, culture and front-line activities such as product
governance and less on second-line controls. This focus on how the business is run,
rather than how it is controlled, is a fundamental change and is directly linked to
our outcome-focused philosophy.’ Though Outcomes is not now a new approach
within the UK regulatory framework, continued focus on this topic as evidenced
by the content of the FCA’s most recent business plans24 makes clear this is still a
key factor in their regulatory stance.
• Worldwide and national events – In an interconnected world the shifting
political and global climate has relevance for businesses operating in multiple
jurisdictions and sectors; events such as the recent presidential election in the
US, debates around EU membership across Europe, various crises in countries
across the globe, all have relevance for the regulatory environment at multiple
levels. Ongoing awareness and consideration is important.
22 http://www.barclaysimpson.com/Compliance-Compensation-mtr-2016
23 Clive Adamson, Director of Supervision, the FCA, June 2014 https://www.fca.org.uk/
news/speeches/our-supervision-overview
24 https://www.fca.org.uk/publication/corporate/business-plan-2016-17.pdf and note
most recent plan https://www.fca.org.uk/publications/corporate-documents/our-
business-plan-2018-19

Notes • Personal accountability – A recurring theme, personal accountability is

a regular feature of developing regulator approaches. For example, US
enforcement action has placed increasing emphasis on this25, whilst in the
UK the adoption of the SMR and related activities evidence prioritisation of
this issue. The regulators stance is that that this needs to be considered in
a wider frame, for example note the FCA stating ‘implementation of the SMR
will be a massive test here – if embraced and embedded as an exemplar of good
business – not as a compliance task – it has the capacity to lead to a sea change
in how UK financial services is seen by all parties. Why? Not because of it effect
ex-post enforcement, important as that is. But because it should drive better, clear
ex-ante decisions fostered by a sense of real responsibility and clear accountability.
And thus less problems in the future.’26 The PRA’s 2015 Policy Statement PS20/15
Strengthening individual accountability in banking: UK branches of non-EEA
banks27 has some useful points to make on this issue also.
• Personal liability – This topic has increased in prominence over recent years,
becoming increasingly recognized as a true risk for compliance professionals
as the example cases discussed in Unit 2 demonstrate. As regards liability,
this introduces a different level of risk. 60% of respondents to a recent
survey28 ‘expect the personal liability of compliance officer to increase in the
next 12 months’ .What does this mean? In the survey the views of Christine
Lagarde, managing director of the International Monetary Fund, expressed
last year29 in respect of the need for more individual accountability were
referenced, noting that ‘good corporate governance is formed by the ethics
of its individuals’. That speech went on to state that ‘that involves moving
beyond corporate rules based behavior to values based behavior’ and the
need for ‘a greater focus on promoting individual integrity’. This supports the
approach of national regulators, with the UK providing ongoing evidence of
prioritising attention in this area as evidenced by the SMR use of attestations
and increased enforcement activity focused on the individual. International
activities focused on increased personal accountability and thus liability
include the US ‘Yates Memo’30 linking individual accountability and corporate
wrongdoing, and the Australian Securities and Investments Commission
(ASIC) planning to include culture alongside its role as conduct regulator.
• Conduct Risk – A major area of focus within the regulatory sphere, for
regulators and regulated firms alike. The issue of a plethora of guidance and
comment on this topic, alongside significant shifts in the regulatory system in
some areas (such as the changes in the UK regulatory framework for example)
should have left financial services stakeholders in no doubt that conduct risk
is high on the regulators agenda. Focus on Culture – Note G30 publication
Banking Conduct and Culture: A Call for Sustained and Comprehensive
Reform31 focusing on the role of these topics in the governance of the
worlds largest financial institutions, including good practice guidance and
recommendations, whilst the FCA’s DP 18/2 Transforming Culture in Financial
Services32 published in March 2018 is another useful publication on these and
25 Refer to US Securities and Exchange website

26 https://www.fca.org.uk/news/speeches/personal-accountability
27 http://www.bankofengland.co.uk/pra/Documents/publications/ps/2015/ps2015.pdf
28 Thomson Reuters Cost of Compliance 2016
29 http://www.imf.org/en/News/Articles/2015/09/28/04/53/sp050615
30 https://www.justice.gov/dag/file/769036/download
31 http://group30.org/publications/detail/166
32 https://www.fca.org.uk/publication/discussion/dp18-02.pdf

related topics in the context of our subject focus in this Module. Conduct is Notes
an ongoing priority in financial services, at both a national and international
level, with increased focus on this topic emerging in the wake of the fallout
from the global financial crisis towards the end of the last decade. Risk
prioritisation of this area alongside culture continues, with Deloitte placing
these at numbers one and two respectively in their prediction of key strategic
regulatory issues that the financial services industry will face in the coming
year33. Regulators around the world are prioritizing activities in support of
improved conduct through a variety of different mechanisms. Many sources
of guidance on this are provided, such as that from the PWC website stating
that ‘The conduct agenda at its simplest is about how customers are treated, how
firms behave towards each other and how they operate in the market. Managing
conduct risk is different to managing compliance and operational risks. Firms
can make good use of their three lines of defence models but they also need to
ensure that ‘doing the right thing’ for customers is front of mind at all levels of
the business... A significant area for firms is the impact of digital and social media
in managing conduct risk… However digital is not an environment that can be
controlled and conduct is critical to managing reputational risks…Without the
right level of senior involvement in the conduct agenda firms will always run the
risk of a surprise. Managing conduct risk is an opportunity to get better outcomes
for customers and that can only help businesses long term. It is the sensible
thing to do when well executed.’34 A recent Conduct Risk report produced
by Thomson Reuters35 looking at how financial services firms are managing
conduct risk has identified distinct industrywide trends against which firms
can benchmark their own progress. It identified that a high proportion of
firms do not have a separate working definition of conduct risk however
‘there appears to be international agreement about the main components‘
(culture, ethics, integrity, corporate governance, tone from topic, etc. all as
noted in this Module) and ‘perception of senior individual accountability for the
delivery of conduct risk has sharpened’, with board level focus remaining high
and more than half of firms ‘having a senior manager responsible for conduct
risk’. Increase in costs related to this are expected, both in terms of time and
resources. It pertinent to note the finding that ‘the Compliance Function is
leading on both the ownership of and accountability for conduct risks’.
• Uncertainty – Lack of certainty in a number of areas – political, industry driven,
economic or indeed arising from many other issues – has relevance for the
Compliance field, presenting a host of challenges for those involved. Given
the likelihood of continued uncertainty in a number of regards, this is a factor
which compliance Professionals will continually need to take into account in
the short, medium and longer terms, considering potential relevance for and
impact upon a whole host of factors relating to their function, their firm and the
regulated environment more generally.
33 https://www2.deloitte.com/uk/en/pages/financial-services/articles/regulatory-top-ten.html
34 PWC website http://www.pwc.co.uk/industries/financial-services/insights/the-conduct-
area.html
35 https://risk.thomsonreuters.com/en/resources/special-report/conduct-risk-
report-2016.html Compliance and risk practitioners from more than 260 financial
services firms across the world, including banks, brokers, asset managers and insurers
took part in the survey – note most recent report https://legal.thomsonreuters.com/
content/dam/ewp-m/documents/legal/en/pdf/reports/culture-and-conduct-risk-2018.
pdf?

Notes Self Evaluation Question 1: Think about each of the above topics and reflect on
their relevance for compliance, risk and governance activities within regulated
firms and within the regulatory environment overall. Now consider this in light
of your own regulated firm: from a Compliance perspective, which of these
topics would you prioritise focus on and why?
Suggested reading:
1. Read the Serious Fraud Office The Nature of Compliance36 speech September
2015
2. Locate the G30 Occasional Paper 89 The Digital Revolution in Banking37
by Gail Kelly, published in 2014. Note its exploration of the March of
Digitization, comments around the Transforming Bank and the Implications
for Policy section, giving consideration to the implications of these shifts
both for the regulator and regulated firms.
3. Review the Understanding the costs of compliance 2006 research paper38
4. Examine the KPMG The Cost of Compliance39 2013 paper
5. Access the FCA Handbook section SYSC 18.3.1, noting the requirements in
respect of Whistleblowing
6. Access the 2016 Ponemon Cost of Data Breach Study40 published by IBM
security. Consider the findings at a global and country specific level within
the context of their relevance for ensuring effective compliance within
regulated firms.
7. Examine the findings of the BCBS December 2015 Progress in adopting the
Principles for effective risk data aggregation and risk reporting report, focusing
specifically on the lessons learned regarding effective implementation and
their relevance for ensuring effective compliance management.
8. Locate a sample of the papers referred to in the above section of this Unit.
Reflect on the content of each within the context of the main objectives of
the Compliance Function.
36 https://www.sfo.gov.uk/2015/09/08/the-nature-of-compliance/
37 http://group30.org/images/uploads/publications/G30_DigitalRevolutionBanking.pdf
38 http://logic.stanford.edu/POEM/externalpapers/understanding_the_costs_
of_c_138098.pdf
39 http://www.kpmg.com/dutchcaribbean/en/Documents/Publications/The-cost-of-
compliance-v2.pdf
40 http://www-03.ibm.com/security/data-breach/

2.0 Building an effective compliance Notes

culture
Culture is a wide ranging topic and one on which much has been written over many
years41. Focus in this Unit is on this topic as it relates to the role of the Compliance
Function; as highlighted in the previous section, links between conduct and culture
are clearly being made by regulators at both international and national level. It is
therefore important that consideration is given to this in developing the approach
taken within regulated firms. The Compliance Function has an important role to
play in ensuring a successful outcome in this regard. This section will explore what
is meant by culture in a compliance context, examining links between this and
other related matters that shape the operational environment within regulated
businesses and beyond. It examines how the activities of the function, overseen
by the Compliance Officer and undertaken by compliance personnel at all levels,
contribute to the creation of an effective “compliance culture”. For the purposes
of this Unit, a “compliance culture” or “culture of compliance” is used in its widest
sense, to be a positive influence that may be defined as: “An environment where the
true purpose of regulatory compliance is recognised and actively used to benefit the
business overall.”
In a maxim attributed to Peter Drucker42, ‘culture eats strategy for breakfast’. Why?
Well as any who have worked in any type of organisation, or indeed will be aware of
from day-to-day activities in our own lives, cultural expectations and norms hugely
influence our activities and approach. They shape what is deemed acceptable and
what is not; considered in the context of a business, the influence of culture is
significant. If the pervading culture is at odds with the agreed strategy of the firm,
challenges will inevitably arise. In focusing on the objectives of the Compliance
Function, therefore, it is essential to consider the culture of the firm in which the
function is operating and how this might effectively support, or indeed detract
from, the Compliance Functions aims. The culture within the firm (publically stated
in documents such as the Code of Conduct, for example, and exemplified in the
manner in which that company does business) supports conduct and approach of
personnel working within it, and a culture that supports a positive attitude towards
compliance makes compliance, and thus achievement of the Compliance Function
aims, more likely. Corporate culture is, of course, influenced by numerous factors
both internal and external to the firm and, as with the many other influencing
factors discussed in Units 1 and 2, factoring those that relate to culture into the
Compliance approach is necessary.
It is also useful to note that culture is one of the areas that regulators consider as part
of their risk based assessment prior to authorising a firm to conduct business within
its jurisdiction and also on an ongoing basis as part of the supervision process.
41 Indeed it has and searches under the topic in relation to management and organisation
will prove fruitful in identifying a range of interesting texts. As regards financial services,
banking specifically, the previously referenced Changing Banking for Good has this topic
at its core, whilst a recent publication Mehran et al (2016) provides a useful range of
articles focusing in on this theme within the context of a range of GRC topics.
42 A recognized leader in the development of management education who invented
the concept known as management by objectives, a management consultant and
educator who influenced the practical foundations of modern business.
Note http://www.drucker.institute/about-peter-f-drucker/ for further information.

Notes 2.1 Why compliance culture is important

The culture of the organisation is important from a compliance perspective as it
will either support or detract from the effectiveness of the compliance framework.
Similarly, the effectiveness or otherwise of the compliance framework will positively
enhance or detract from the culture of the organisation. In the previous Unit, the
required behaviours and abilities of compliance personnel, most particularly
the Compliance Officer, were discussed. In examining the evolution of the role,
consideration was given to how the attributes of the individuals tasked with
working in this area had developed to reflect the aspects of the role that had come
to be recognised as key to its effectiveness. Whilst that focus was predominantly on
the practical aspects, there are yet wider considerations that need to be factored
into understanding the role compliance plays within a business.
2.2 Moving beyond compliance

Once adhering to compliance requirements becomes embedded within a firm as
a matter of course, it is possible to move beyond compliance with its potentially
bureaucratic connotations, towards a culture that is more integrated, with a greater
level of buy in and recognition of the benefits to be gained. Beyond that, the next
stage – sometimes described as values-led business43 – is one where core values are
internalised, which goes beyond just complying with the rules and demonstrates an
ethical, open and integrity driven approach to business. The Compliance Function
is an important component in the development of this type of positive business
culture and there is much to be gained from it.
2.3 Accountability and Responsibility

In hearing the term “compliance”, the natural focus tends to be upon rules and
regulations and negative impacts, such as fines and loss of reputation, arising
from non-compliance with them. As discussed earlier in this Module, historically,
compliance and its regulatory requirements came to be viewed as a responsibility
which lay solely with the Compliance Function, who worked largely in isolation
from the rest of the business. Consequently, compliance requirements were
sometimes seen as something of an ‘afterthought’, tagged on at the end of the
main business activity, with a sigh of “I suppose we’d better run it past compliance…”.
As a result of this, in organisations where this view was prevalent, the sense
of personal accountability for compliance matters amongst staff within the
business tended to be low, with the general view being “compliance isn’t anything
to do with me”. As discussed in Unit 1, a variety of factors that impacted upon
the regulatory environment, including scandals such as miss-selling, inspired
regulatory change; not only in terms of regulation, but also in terms of focus
and attitude. This in turn resulted in a change in how compliance requirements
are expected to be undertaken and viewed, not only externally by regulators
and internally by the board and senior management within the business, but by
everyone. Thus the positive outcome of the problems experienced within the
regulatory environment is an expectation that compliance matters should be
at the heart of business. Individuals within the business are encouraged to take
responsibility and ownership and, because they are closer to business activities,
the likelihood of problems or errors being noted at an earlier stage has increased.
43 http://webarchive.nationalarchives.gov.uk/20101007090736/http://www.fsa.gov.uk/
pages/Library/Communication/Speeches/2010/1004_hs.shtml

This is a great advance on the old system whereby shortcomings were identified Notes
at a later stage by either the Compliance Function, other assurance functions
or, worse, by the regulator. Notwithstanding, the board and senior management
retain overall responsibility for compliance. As such, they are encouraged to set
the “tone from the top” in supporting the activities of the Compliance Function
and promoting an effective organisational culture to do so. How it and other
parts of the business can work effectively together in pursuit of these and related
objectives will be discussed later in this Unit.
Alongside this, the activities of the Compliance Function and how they perform
them are an important aspect of developing an appropriate culture within the
business. This is vital if the board and senior management are to meet their
compliance responsibilities and if the business is to properly benefit from
regulatory compliance.
Self Evaluation Question 2: Consider the general culture in your firm – how
would you describe it?
Self Evaluation Question 3: How might a Code of Conduct impact positively on
the general culture of an organisation?
Suggested reading
1. Read and compare the approach set out in a series of speeches from the
UK regulator on the topic of culture within the industry over recent years
and their expectations of those in regulated firms in respect of this: Hector
Sants, FSA, Can culture be regulated? October 2010; Martin Wheatley, FCA,
Modelling integrity through culture44 November 2013; Martin Wheatley, FCA,
The commercial importance of culture to industry45 December 2014; Culture
in financial services – a regulators perspective46 speech by Andrew Bailey,
May 2016; Peter Andrews, FCA, Culture in UK banking – regulatory priorities47
October 2016
2. Note the issues covered in the Accountability, from debate to reality48
speech by Martin Wheatley, FCA, July 2015. Consider alongside Personal
Accountability49 by Tracey McDermott, FCA, December 2015
3. Note the series of G30 reports focused on a range of supervisory, governance
and culture matters, including Toward Effective Governance of Financial
Institutions50 published in 2012, A New Paradigm: Financial Institution Boards
and Supervisors51 in 2013 and, most recently, Banking Conduct and Culture:
A Call for Sustained and Comprehensive Reform52 focusing on the role of
these topics in the governance of the worlds largest financial institutions,
including good practice guidance and recommendations.
44 https://www.fca.org.uk/news/speeches/modelling-integrity-through-culture
45 https://www.fca.org.uk/news/speeches/commercial-importance-culture-industry
46 https://www.bankofengland.co.uk/speech/2016/culture-in-financial-services-a-
regulators-perspective
47 https://www.fca.org.uk/insight/speech-culture-uk-banking-regulatory-priorities
48 https://www.fca.org.uk/news/speeches/accountability-debate-reality
49 https://www.fca.org.uk/news/speeches/personal-accountability

Notes 4. Reflect on the keynote speech made by Gabriel Bernardino, the Chairman
of EIOPA Solvency II implementation – beyond compliance53 in March 2016
at a conference titled ‘The Launch of Solvency II’. Note his comments
regarding ‘the convergent implementation of the new risk-based regulatory
framework across the European Union.’, going on to discuss the importance
of supervisory convergence: ‘it is essential in order to achieve three
fundamental objectives: Firstly, to ensure that European Union regulation is
applied in all Member States; Secondly, to guarantee a level playing field and
prevent regulatory arbitrage in the internal market; Thirdly, to safeguard a
similar level of protection to all policyholders and beneficiaries in the European
Union. Given the current differences of supervisory cultures and practices
between Member States, I appreciate that our new journey might turn into an
“Odyssey”. But it is the right “Odyssey” for us to be undertaking. The European
Union has to have a common supervisory culture and this is precisely why
EIOPA and the European System of Financial Supervision (ESFS) were created.
We are decisive and fully committed to enter this new journey for the sake of
a more coordinated and more robust financial supervision in Europe. In the
coming five years one of our main priorities will be to increase convergence
towards a European supervisory culture. A risk-based culture that: Aims to
ensure strong but fair supervision; Is based on a forward-looking approach
to risks; It takes into account that it is always better prevent than repair.
Prioritizes the dialogue with market participants in order to better understand
their business models, strategies and underlying risks; Promotes early enough
awareness and supervisory action in order to protect policyholders and
mitigate possible disruptions in the market.’
5. Access the Report of the Parliamentary Commission on Banking Standards
Changing Banking for Good54 if you have not already done so, and note the
specifically the sections on standards and culture.
6. Review the PRA Rulebook and FCA Handbook, noting the guidance provided
that relates to compliance culture.
53 https://eiopa.europa.eu/Publications/Speeches%20and%20
presentations/2016-03-03%20IVASS%20Solvency%20II%20Conference.pdf
54 http://www.parliament.uk/documents/banking-commission/Banking-final-report-
volume-i.pdf

3.0 Developing the culture of compliance Notes

The Compliance Function, encompassing its risk assurance activities and the pivotal
role of the Compliance Officer, has an important part to play in the promotion of
an effective and robust culture, both within individual businesses and also more
widely. As with its overall activities and approach, if it is to be effective in this the
Function cannot work alone. All operational stakeholders should be involved:
• International bodies producing initiatives focusing on related topics and financial
services challenges
• Regulators developing regulatory structures and setting regulatory requirements
• Boards organising their businesses to operate in a compliant manner
• Operational departments and other assurance functions within the business
and the individuals working within them
• All must align their activities and focus if objectives in this areas are to be achieved.
3.1 Interrelationship of assurance functions

A number of risk assurance functions may exist within firms; as addressed in Unit 2,
the structure and make up of these will depend upon the size, nature and activities
of the individual firm and reflect the risk approach (and appetite) of the board
as per its overall strategy. Irrespective, all risk assurance activities work towards
achievement of the following aims:
• Commitment of all functions and all parties, from the board downwards
• This commitment being embedded within the firm’s strategy and code of conduct
• Communication of this commitment throughout the business
• Clear objectives
• Clear accountability
• Reporting on achievement of objectives
• Action if objectives are not achieved – remedial action or a change in approach
• Feedback to all, from the board downwards, business units upwards and across
oversight and assurance functions.
In considering how the various elements support each other it would useful to
recap on the roles and activities key to regulatory assurance, as detailed in Unit 2:
Overall, the board of a regulated business is responsible for the business and
risk strategy of the organisation, including how its structure is organised, its
financial soundness and its governance.
• As regards compliance matters, essentially, the board of directors are
responsible for overseeing the management of compliance risk. They
approve the compliance policy and ensure that the effectiveness of the
compliance risk strategy is regularly assessed.
• Senior management are responsible for the management of compliance
risk, for establishing and communicating a compliance policy, ensuring it
is adhered to and advising the board accordingly.
• These requirements are underpinned by a range of requirements (spanning
primary legislation, regulatory rules and standards, market conventions, codes
of practice, etc.), including corporate governance obligations, that set out clear
expectations regarding the manner in which business affairs are governed.
• The task of ensuring that the compliance policy set by the senior
management of the business is applied on a day-today basis is undertaken
by the Compliance Function, headed by the Compliance Officer.

Notes • The Compliance Function is part of the overall risk management process
within the regulated business and the function’s primary task is to ensure
effective systems and controls are in place to adequately measure and
manage the regulatory risks the firm faces. In so doing, this function assists
the business in achieving key elements of its business objectives and also
in avoiding regulatory censure. Dependent upon the size and nature of a
particular business, a separate risk management function might be in place.
• Through regulator auditing of the Compliance Functions activities,
Internal audit is one of the main mechanisms by which senior management
can be provided with assurance that the activities of the Compliance
Function are achieving their objectives and, in so doing, support the
board’s overall risk strategy.
Each aspect of risk assurance has a particular purpose and some organisations
will have distinct functions covering these areas, whereas others, whilst having a
separate Internal Audit function in accordance with requirements as discussed in
Unit 2, might combine areas, such as the compliance and risk functions. As ever,
the approach taken is less important than how appropriate that approach is for
that particular business, as the focus should always be on ensuring it achieves its
intended aims.
As discussed previously, applicable regulatory requirements, such as the regulators
expectations of the UK firms they regulate, must be taken into account. The
objectives of the assurance functions should therefore be expected to closely
align with the overall strategic objectives of the business. In effect, the assurance
functions are the means of providing support for, and checks of, the systems and
controls in place that allow the firm to meet their overarching goals.
Self Evaluation Question 4: Compare and contrast the focus of the corporate
governance requirements, the Internal Audit role and the objectives of the
Compliance Function. Note the complementary aspects of these.
Self Evaluation Question 5: Risk assurance activities work towards which
general aims?
Suggested reading
Revisit the Basel Committee on Banking Supervisions paper The Internal Audit
Function in Banks55 2011. Note the references to the Compliance Function and
how this is supported by the activities of internal audit.
55 http://www.bis.org/publ/bcbs223.htm

3.2 Relationship Development Notes

To be effective in supporting the compliance vision of the board and embedding
an appropriate culture to do so, the Compliance Function needs to foster a number
of key relationships and, be these internal or external, the effectiveness of the
Function will be strongly dependent upon them.
3.2.1 Internal Relationships

As previously stated, Compliance cannot work in isolation from the rest of the
business. Indeed, the Compliance Function that does not have the support of other
areas within the organisation is doomed to failure. Developing effective working
relationships should therefore be a priority for both the Compliance Officer and the
Compliance Function and should encompass, for example:
• Operational business units and staff (for example, line managers of key delivery
areas, such as those involved in sales; product and service development
managers; HR; training; etc.)
• The board and senior management, including non-executive members
• Other assurance and control functions (e.g. internal audit, legal, risk and if part
of a wider group, the other Compliance Functions)
• General staff within the business.
Advantages of developing these internal relationships include:
• The Compliance Function increasing its understanding of the business, as it will
learn from the business experts
• An improved appreciation of the wider business requirements, so that
compliance is considered a necessary part of the bigger picture.
• The opportunity to encourage understanding of Compliance aims and
objectives, ensuring those working within the business appreciate why
compliance is necessary
• Offering an open door policy, whereby business staff can bring issues to the
attention of the Compliance Function, thereby allowing open discussion on
issues prior to them developing into problems
• Helping with communication about developments or issues that need to be
addressed
The stronger relationships are between Compliance and the rest of the business,
the greater will be the business’s understanding of what the Compliance role is
and what it is seeking to achieve. Notwithstanding the need for independence
and objectivity, it is perfectly possible for compliance professionals to find balance
in their approach and work together with other areas of the business towards
their common goals. The Basel Principles discussed in Unit 2 support this view,
with Principle 5 stating that: “the concept of independence does not mean that the
Compliance Function cannot work closely with management and staff in the various
business units. Indeed, a co-operative working relationship between Compliance
Function and business units should help to identify and manage compliance risk at an
early stage.”

Notes The single most important relationship the Compliance Function has internally is
that with the board, as is made clear in the introduction to the Basel Principles:
“Compliance starts at the top. It will be most effective in a corporate culture that
emphasises the standards of honesty and integrity and in which the board of directors
and senior management lead by example. It concerns everyone within the bank and
should be viewed as an integral part of the bank’s business activities”. Essentially, the
board set the tone as to how compliance is viewed. How effective Compliance is
will be heavily influenced by the board’s view and how this is perceived by the
rest of the business. Put simply, if the board are clearly seen to view Compliance as
important, necessary and of benefit to the business, this will be the view generally
reflected throughout the organisation; conversely, if the board are known to view
Compliance as a ‘necessary evil’, unimportant or even as a nuisance, this will be
mirrored by the rest of the business.
In order to be effective and achieve its goals, therefore, the Compliance Function
needs to have the respect of the board and maintain positive relationships with
it subsequently. At the outset, being clear on the fundamental requirements to
the effective formation of the Function (in terms of independence, resources and
so on) and then ensuring the board remains up to date with the progress of the
Function in its pursuit of its objectives or where challenges to this are arising,
alongside recommendations for addressing these. The most effective way to do
this is through ensuring communication is appropriate, targeted and meets their
expectations, providing necessary interaction and information in a succinct and
timely manner that gives value. Essentially, the board want to view the Compliance
Function, and the Compliance Officer in particular, in the same way as the Regulator
wants to view the board of a regulated business, i.e., as being competent in their
role, aware of requirements and keen to work effectively to ensure these are met.
If the board has confidence in the Compliance Function, based on their dealings
with them, this in turn will foster growth in the positive perception of the benefits
Compliance brings to the business as a whole.
Self Evaluation Question 6: Imagine you have recently been appointed to a

compliance role in the organisation within which you now work. Which internal
relationships would you prioritise development of and why?

Suggested reading Notes
1. In July 2007 the FSA issued a Dear CEO letter entitled Managing Compliance
Risk in Major Investment Banks - Good Practices56. Review this and consider
the following:
• Note the FSA’s observations on good practices based on their work with
major investment banks in London in the light of what you have learned
in this Module thus far and what you understand the current areas of
focus under the FCA are. Note the list of good practices presented in a
number of categories within the Appendix: Defining “Compliance risk”
and responsibilities; Compliance Culture; Governance; Compliance risk
assessment process; Compliance monitoring/desk reviews; Evaluating
compliance performance.
• Read the Defining “Compliance risk” and responsibilities section through
carefully noting the good practice observed in respect of the clear
understanding between the Compliance Function and the business.
Consider this in light of your understanding of the approach taken by
both the FCA and PRA.
• Consider how the good practices observed clearly demonstrate
effective relationship management between compliance and business
functions.
• Read the Compliance Culture section in the Appendix through carefully
noting the good practice observed.
2. Reflect on the issues noted in that letter and compare these to points
on the following topics noted in some of the other suggested readings
referenced in this Unit:
• Culture
• Governance
• Risk
To what degree do you consider there have been notable development in
approach within these areas and what do you believe are the consequences of
this for the regulatory and thus compliance environment?
pubs/ceo/compliance_risk.pdf

Notes 3.2.2 External Relationships

Most Compliance Functions will have relationships with a number of external
bodies, some, like the regulator, will be regular and possibly frequent; others will be
more or less regular and involved than this. The strength of these can be extremely
important for the efficacy of the compliance goals. Example external relationships
include:
• The regulator(s)
• Financial crime units
• External assurance bodies (lawyers and auditors)
• Financial Intelligence Units (reporting and information sharing)
• Law enforcement agencies (police and customs)
• Trade associations
• Professional bodies (such as compliance associations, industry bodies linked to
products or services central to the business)
The benefits of developing key external relationships essentially reflect those that
apply to internal relationships, i.e., strong communication links lead to mutually
increased awareness, understanding and appreciation of each other’s roles. These
relationships also help the Compliance Function to remain abreast of current and
potential developments, ensuring they remain up-to-date in their knowledge and
understanding of the wider compliance environment, which in turn helps positively
shape their focus, attitude and approach within their compliance role.
3.2.3 When things go wrong

From a pragmatic perspective, relationship management can be vital if things go
wrong. It is far easier to flag issues to, or ask for assistance from, someone with whom
you already have a relationship. Furthermore, the existing (hopefully positive)
view of the individual Compliance professional and, through them, of the firm,
will provide them some level of comfort and help them view possible setbacks or
difficulties in a more positive light, having confidence in the firm’s abilities to rectify
the problems or work with others to do so. Equally from an internal standpoint,
bringing identified issues to the fore in a timely manner, providing insight and
guidance on the consequences of these and recommended action to address them,
will likely inspire confidence in the efficacy of the compliance approach.
Self Evaluation Question 7: Imagine you have recently been appointed to a

compliance role in the organisation within which you now work. Which external
relationships would you prioritise development of and why?
Suggested reading
1. Access the sections of the PRA and FCA websites that set out how they
regulate and note reference to relationship management. Consider the
many different ways in which each regulator provides information and
guidance together with opportunities for support to the firms it regulates.
2. Research Trade Associations and Professional Bodies linked to the banking,
compliance and risk management professions. Note the opportunities
available for relationship development and the various means of doing so
(conferences, panel discussions, consultations, online discussions, etc.).

3.3 Hurdles to Effectiveness Notes

How effective the Compliance Function is at achieving its main objective of helping
managing the firm’s compliance risk will be determined by how it deals with certain
organisational and behavioural hurdles. The issue of how Compliance is perceived
generally is obviously a major consideration, as discussed earlier in this section from
the point of view of how Compliance chooses to position itself in the organisation.
However, how compliance is perceived will additionally depend upon how it
operates and upon the behavioural norms of the organisation’s staff, as directly
influenced by the attitudes of key stakeholders (the board, senior management,
business staff and Compliance itself), as previously highlighted. In developing
the Compliance frame work and approach it can be useful to reflect on these and
consider how this might impact on achievement of compliance aims and also how
challenges arising to these might be mitigated by the Compliance stance adopted.
Attitude towards compliance within the business:
• Mechanical compliance, or taking a “tick box” approach to requirements, will
impact upon the style of systems and controls that are adopted and may, in
turn, lead to a tendency for business units to do as little as they can get away
with to comply
• Overreliance on the rule book to decide what is and what is not acceptable,
rather than simply doing the right thing because it’s the right thing to do. Not
only is this disingenuous, but it can also be bureaucratic and time consuming
• Risks might be missed because everything is being considered in the narrow
context of legal or regulatory “do’s and don’ts” rather than in the broader
context of integrity and ethics.
Staff behaviours towards compliance:
• Attitudes towards compliance requirements. Do staff perceive compliance as
something that must be incorporated into their activities? Or as something
optional, if they’ve got the time?
• Believing that compliance is the responsibility of the Compliance Function, i.e.,
it’s not a business responsibility
• Uncertainty of business management regarding the benefits of compliance
and its value to the business
• Confusion over where responsibilities for different activities lie, for example,
“That’s a compliance matter that’s to do with marketing, so it’s Marketing’s
responsibility, not mine, because I’m in Sales!”
• Lack of clarity about reporting lines on compliance matters
• Poor communication in general
• Remuneration of business staff skewed towards rewards that do not incorporate
compliance obligations
• A general culture which seeks to apportion blame, leading to business staff
being both suspicious of Compliance and unwilling to engage with them in
case they find something wrong.

Notes As noted already, the attitude and approach of senior staff can have a defining
impact on how Compliance is viewed, and subsequently upon how the need for
adherence to its requirements is perceived. Such views are reflected in the actions
of the business and the Compliance Function must work to challenge potential
issues and address shortcomings as they arise. As mentioned earlier, this can be
achieved through communication and training activities, which are intended to
enhance understanding of compliance requirements, embed focus within the
compliance strategy and provide opportunity for discussion and clarification:
• Communication - Whether written or verbal, communication plays a vital role in
supporting the Compliance message. Clear, concise and appropriately worded
communications that meet the needs of the target audience are essential. For
example, the tone and language appropriate for communication in a board
report differs from that appropriate for communication of a regulatory update
to business management or a guidance note for new sales staff. Compliance
personnel need to ensure they tailor their communications appropriately.
Likewise, consideration should be given to verbal communication,
encompassing the types of issues discussed in Unit 2 regarding the behaviours
and skills necessary to be an effective Compliance professional. Drawing on
these skills to ensure any communication, in whatever format, is appropriate will
go a long way towards enhancing the Compliance message and overcoming
any potential hurdles.
• Training - Training is an essential medium through which the Compliance
Function can simultaneously deliver the Compliance “message”, increase
staff knowledge and develop relationships with the business. For example,
the Compliance Function has a solid understanding of the needs of the
organisation (issues such as products and services, business priorities, etc.)
and are able to align their training focus to incorporate these alongside the
pertinent regulatory requirements, the training will have far more meaning
and, consequently, more benefit. Linking generic issues to topics about
which individuals have actual experience is an effective method of ensuring
understanding and compliance training that keeps this in mind will be
likely to be more appropriate and effective for the target audience. Training
requirements, linked to the compliance and business objectives, should of
course continue to be reviewed to ensure they remain up to date and therefore
relevant.
As we have seen throughout this Module, the approach of the Compliance
Function has evolved positively over recent years and moved away from a directive
and monitoring stance, towards more of a consultative and facilitative method of
working with the business. This revised method helps embed compliance and
develop the culture beyond merely complying.

Self Evaluation Question 8: Who within the business do you believe should be Notes
involved in addressing barriers to the effectiveness of the Compliance Function
and why?
Self Evaluation Question 9: Consider how the monitoring activities of the
Internal Audit and Compliance Functions might overlap and what problems
might arise if these are not effectively coordinated.
Suggested reading
Read about the UK Department of Business, Skills and Innovation (BIS)
consultation on Executive Remuneration57 and consider the implications for
corporate governance issues
3.4 Links between Compliance, Integrity,

Ethics and Business Culture
When considering the development of an effective compliance culture, it is
important to keep in mind other factors that shape culture, such as integrity
and ethics for example. An effective compliance culture helps staff to appreciate
the importance of regulatory compliance to the business and understanding
the consequences of failing to adhere to requirements. They are therefore able
to support the board and senior management in their day-to-day risk assurance
activities, ensuring they work in accordance with the “spirit of the requirements”
(the broad principles and intended outcomes), rather than only working to the letter
(i.e. the rules). As discussed in Unit 2, just meeting minimum legal and regulatory
requirements, i.e., being barely compliant, should not be sufficient for a regulated
firm. It is essentially no more than paying lip service to requirements. Such an
approach also runs the very real risk of not meeting these minimum requirements
as there is no room for manoeuvre in terms of approach. This is particularly relevant
for the UK Regulatory Framework example with the current focus on Outcomes.
However, as a result of their constituent parts (primary legislation, rules and
standards, market conventions, codes of practice promoted via industry
associations, internal codes of conduct, etc.) the compliance requirements are: “…
likely to go beyond what is legal binding and embrace broader standards of integrity
and ethical conduct.”58 Therefore, embedding the concept of integrity and ethics
alongside compliance positively influences the wider culture of the fir. It is to its
benefit in an even broader sense, reflecting the generally agreed fundamental
objectives of financial services regulation and also the statutory objectives of the
industry regulator. In other words, concepts of integrity and ethics sit at the core
of financial services regulation and legal requirements are a codification of these
concepts. It is possible to be technically in compliance with the regulation, but still
lack integrity and be unethical; however, if a firm is intrinsically ethical and acts with
integrity, it would be extremely difficult to find it non-compliant.
57 http://www.bis.gov.uk/Consultations/executive-remuneration-discussion-paper
58 Compliance and the Compliance Function in banks, previously discussed in unit 2.

Notes The issue of ethics features regularly on the UK regulator’s radar. As long ago as
2002, the FSA published An Ethical Framework for Financial Services59 focusing
on this topic. Subsequent to this, the FSA’s ‘Treating Customers Fairly initiative’,
launched in the mid 2000’s, whilst focusing on customers, has ethics at its core.
In June 2010, Hector Sants, Chief Executive of the FSA, raised this issue again,
questioning the regulator’s own role in relation to it: “Some of the causes of the
crisis were deeply rooted in behavioural issues that resulted in actions and decisions
that with the benefit of hindsight, were not the ‘right’ ones. A firm’s culture plays an
important role in influencing the actions and decisions taken by individuals within firms
and in shaping a firm’s attitude towards their customers.”60 More recently, there has
been renewed focus on these topics such as the Changing Banking for Good report
arising from the Parliamentary Commission on Banking Standards findings and the
Senior Manager and Certificate Regime (SM&CR) regime, which have cultural and
conduct change at their heart. In supporting regulatory and wider objectives in
these areas, compliance activities and ethical considerations are intertwined.
Self Evaluation Question 10: Principles for Business Principle 1 states that a firm
must conduct its business with integrity, whilst the first Statement of Principle
for individuals requires that an approved person must act with integrity. This
focus on integrity is clearly seen as important. Why is this?
Self Evaluation Question 11: Why are ethics important in financial services?
Suggested reading
In considering the relevance of culture in supporting the aims of the Compliance
Function or otherwise, it can be useful to note developments on this topic
as they apply to a particular jurisdiction. The following provides a sample of
resource on this topic linked to the example UK regulatory Framework:
1. Read the speech given by Davies, H., Chairman, FSA, Are words still bonds?
How Straight is the City? 2.11.98. Think about the points noted therein, consider
these in light of the issues raised in this Module and your understanding of
regulatory environment and the various factors that impact upon it.
2. Locate the An Ethical Framework for Financial Services61 FSA Discussion
Paper published in 2002. Read it through, examining the various scenarios
included together with its overall focus and purpose.
3. In June 2010 the FSA published CP10/12 focusing on Competence and
Ethics62. This consulted on proposals to strengthen and refocus elements of
the TC sourcebook, to modernise the regulatory qualifications requirements
and to make changes to the Statements of Principle and Code of Practice
for Approved Persons (APER) under the approved persons regime. Policy
Statement 10/18 was published in December that year. Familiarise yourself
with both of these, considering their focus as you do so.
59 http://www.fsa.gov.uk/pubs/discussion/dp18.pdf
60 http://www.fsa.gov.uk/library/communication/speeches/2010/0617_hs.shtml
library/communication/speeches/1998/sp18.shtml
62 http://www.fsa.gov.uk/pubs/cp/cp10_12.pdf

4. Read Hector Sants speech Do Regulators have a role to play in judging culture Notes
and ethics?63 June 2010 and, in the context of the issues discussed in this
Module, consider the issues raised.
5. Review Creating an ethical framework for the financial services industry64,
a paper by professor Julia Black London School of Economics and Karen
Anderson, partner, Herbert Smith Freehills LLP in January 2013. Note the
links between this and the An Ethical Framework for Financial Services paper
referred to above. Consider what an ethical financial services industry
would look like.
6. Refer again to the speech by Martin Wheatley, FCA, Modelling integrity
through culture65, November 2013 and Note Getting culture and conduct
right – the role of the regulator66, by Jonathan Davidson, FCA, July 2016.
Again, in the context of issues discussed in this Module overall, consider
the issues raised.
7. Read Good conduct and market integrity67 June 2014 and Ethics and
Economics68 March 2014, both speeches by Martin Wheatley, FCA, again
in the context of the issues discussed in this Module overall. Consider the
issues raised and any developments in approach that are apparent.
8. Note the FCAs proposals for new measures to maintain the focus of firms
on culture, announced in September 2016.69 These ‘new measures are
part of the FCA’s continued focus on culture and build on initiatives which
further help the FCA identify and assess key senior individuals. The FCA has
confirmed final rules on regulatory references, which clarify the information
that firms are required to share with one another as part of recruiting to key
roles. The FCA will also consult on: Guidance for Senior Managers on the ‘Duty
of Responsibility’; A new requirement for UK branches of overseas banks to tell
their UK based employees about the whistleblowing services offered by the
FCA and the PRA; Extending the conduct rules to all non-executive directors of
banks and insurers.’
library/communication/speeches/2010/0617_hs.shtml
64 http://www.lse.ac.uk/collections/law/projects/lfm/LSE%20HSF%20discussion%20
paper_d3%20ethics%20in%20financial%20institutions.pdf
65 https://www.fca.org.uk/news/speeches/modelling-integrity-through-culture
66 https://www.fca.org.uk/news/speeches/getting-culture-and-conduct-right-role-regulator
67 http://www.fca.org.uk/news/good-conduct-and-market-integrity
68 https://www.fca.org.uk/news/speeches/ethics-and-economics
69 https://www.fca.org.uk/news/press-releases/fca-proposes-new-measures-maintain-
firms-focus-culture

Notes 4.0 The value of an effective Compliance

Function
It should now be evident that the role of this Function, its overall approach and
the activities it undertakes have undergone a marked overhaul in recent years.
Compliance activities now recognisably work to actively support business objectives
and add value to them, rather than focusing simply upon monitoring and reporting
on adherence, or otherwise, to sets of rules. In many ways, however, the benefits
of compliance can be clouded by the fact that some of them are intangible and
therefore rather difficult to measure. It is important, therefore, for efforts to be made
by the Compliance Function, particularly the Compliance Officer, and others within
the business, to work effectively at ‘selling’ the benefits of regulatory compliance
and the activities of the Compliance Function. The relationship management
activities discussed in the previous section will go a long way towards supporting
this aim, helping to ensure that Compliance is seen as a contributor to the business,
rather than the “business prevention unit” it was once seen as.
This final section looks at the practical benefits to the business of Compliance
activities over and above the embedding of an appropriate attitude towards
compliance in terms of culture. These benefits are considered from both an internal
and an external viewpoint. Compliance related activities are then reflected upon
from a wider perspective, looking at how these advantage the overall regulatory
environment.
4.1 Business benefits

Initially, in considering what the advantages to business of compliance are, focus
will naturally tend towards those of a regulatory nature, i.e.:
• the ‘pay-off’ for the business in reducing the risk of regulatory non-compliance
and thus reducing the possibility of regulatory censure in the form of
enforcement action leading to fines, etc.
• improving relations with the regulator, increasing their level of confidence
in the business and thus reducing their perceived need for regulatory focus/
involvement.
This traditional view is a natural consequence of the way in which in the past, as
previously discussed, the role of Compliance within business has been viewed
and carried out. However, whilst there is no doubt that the approach taken by
the business in respect of managing compliance risk does impact on the way the
firm is viewed by the regulator, regulatory benefits are not the only gains from
compliance and the activities of an effective Compliance Function. With that in
mind, the benefits of regulatory compliance should be viewed in a far wider fashion
than regulatory benefits alone, important though these are.

Focus within business can tend towards the impact upon the ”bottom line”, Notes
therefore for many it can be difficult to assess the benefits of a function which
is not profit producing. However, the immediate business benefits to having an
effective Compliance Function, i.e., avoiding the problems that arise from not being
compliant, can indeed be easily linked directly to the bottom line, many of which
relate to a fundamental business risk, i.e. reputation:
• Financial loss from regulatory censure and fines, leading to reputational
damage
• Further financial loss from loss of business arising from the reputational
damage.
The true cost of a regulatory fine to a business is, of course, significantly more than
the cost of the fine itself, due to the remedial action necessary as a result and the
reputational damage and subsequent business loss.
Whilst ensuring general awareness and understanding of the impact of non-
compliance is necessary and important, rather than focusing on this negative, the
Compliance Function is better served by embedding an awareness of the upside
of compliant behaviour for the business and of the advantages to the gained from
this. For example:
• Having a focused assurance function supporting the business ensures risks are
managed more effectively, resulting in fewer errors and the resulting need for
rework, thus reducing overall costs
• Awareness of regulatory developments will allow early adaption of approach/
focus, thus reducing costs arising from last minute alterations or changes in
approach
• Fewer breaches, so less time wasted investigating errors
• Involvement with product and/or service development at an early stage will
help ensure outputs are “right first time”
• Improved understanding gained through improved information will lead to
improved decision making within the business generally
• Improved management information to the board will assist them in their
strategic decisions
• Embedding a positive attitude towards compliance will result in a more
collective approach towards the requirements, reducing the cost of centralised
compliance
• General improvement in staff attitude and behaviours arising from knowledge
that the organisation within which they work takes a compliant and ethical
approach to their activities.
In addition to such internal advantages, there are external gains to be had (i.e. from
outside of the business). Compliant behaviour and a reputation for it has many
benefits, such as:
• Enhanced trust in the firm, thus enhancing the firm’s reputation
• Positive influence on consumer decisions as to which firm they do business
with
• Positive influence on the views of other firms with whom a firm does business
• Reduced likelihood that the firm will be used for financial crime purposes, as
there will an awareness that systems and controls are in place to prevent this
and that the attitude of the firm is strongly against it.

Notes • In his paper reflecting on reputation and how it interacts with risk in its many guises
Smith-Meyer (2015) references an interesting recent text focusing specifically on
Reputation Risk70. He highlights focus within this text on how perception of both
reputation and risk may be biased, based on each stakeholders perceptions of
both themselves and other stakeholders. Smith-Mayer positions this as a central
issue for consideration in developing mechanisms for managing this – and
indeed gaining the benefits from that effective management. This harks back to
the issue raised at the outset of this text and one that has resurfaced throughout,
demonstrating the importance of considering the position of all stakeholders in
developing an effective approach.
Self Evaluation Question 12: How might the culture within a firm, and its values,
as evidenced by its behaviour, influence the relationship they have with their
regulator?
Self Evaluation Question 13: How should information about the benefits of
regulatory compliance be communicated to the business?
Suggested reading
1. Review the Costs of Compliance report by Europe Economics71, June 2003,
identifying the topics relating to how a compliance culture can be of
benefit to the firm.
2. Case Study Review: Part 2 of the FSA report on the failure of RBS72 provides
an interesting range of points relating to Management, Governance and
Culture and the impact of this on the events that unfolded. Access this
report and consider these points. Now revisit the HBOS case discussed in
Unit 2. Consider the findings in each and the relevance for regulatory and
compliance activities and approach.
3. Consider the issues raised in The Rising Cost of Non-Compliance: From the
end of a career to the end of a firm73, English, S. & Hammond, S., Thomson
Reuters, November 2014
70 Bonime-Blanc, A., The Reputation Risk Handbook: Surviving and Thriving in the Age of
Hyper-Transparency, DO Sustainability, Oxford, UK, 2015
71 http://www.fsa.gov.uk/pubs/other/cost_compliance.pdf
72 http://www.fsa.gov.uk/static/FsaWeb/Shared/Documents/pubs/other/rbs-
part2management.pdf
73 http://thomsonreuters.com/en/articles/2014/rising-costs-of-non-compliance.html

4.2 Benefits beyond individual firms Notes

In addition to aiding individual regulated firms, effective regulatory compliance can
bring significant benefits to the regulators of those firms, helping them to achieve
their own broader regulatory objectives in addition to their more focused statutory
objectives.
This, in turn, creates benefit to the wider community and the regulatory environment
in general by improving confidence and trust in that jurisdiction’s financial services
market. This has a positive impact, not just on stakeholders involved in financial
services (at all levels), but also more widely, helping to enhance the perception of
business generally and supporting confidence in business transactions. In doing so
it encourages continued development and growth.
Against these positive benefits must also be considered the costs of non-
compliance. In the same way firms suffer for being non-compliant, the non-
compliant behaviour of those firms will have a pervasive effect on the regulatory
environment as a whole, for example:
• Impact on the reputation of the jurisdiction
• loss of business, as compliant firms will be concerned about doing business
there
• Increased likelihood of the jurisdiction being targeted by those interested
in financial crime, which in turn would impact further on the jurisdiction’s
reputation.
At a time when the view of the financial services industry and those working within
it, at both a national and internal level around the world, is at something of a low
point, to be identified as a business or a jurisdiction which is not working in a
compliant manner is not a “club” that any sensible business or jurisdiction would
wish to be a member of.
Self Evaluation Question 14: Consider the costs of non-compliance. Provide

examples of the way in which non-compliant behaviour can impact on the
regulatory environment.
Self Evaluation Question 15: With particular focus on the broader regulatory
environment, why is the compliance culture within a firm of interest to the
regulator in the UK?
Suggested reading
Review the Enhancing Financial Stability by Improving Culture in the Financial
Services Industry74 October 2014, by William C. Dudley, President and Chief
Executive Officer, Remarks at the Workshop on Reforming Culture and
Behavior in the Financial Services Industry, Federal Reserve Bank of New York,
New York City
74 https://www.newyorkfed.org/newsevents/speeches/2014/dud141020a.html

Notes 4.3 Harnessing the benefits of integrated

compliance
Against a background of change and challenge, Compliance as a business function
has come to encompass a far broader remit than simply monitoring and checking
to ensure all the necessary rules and regulations have been adhered to. As a
key part of risk assurance management within a regulated firm, the Compliance
Function works as an integral part of the business, encouraging best practice and
a general focus on ensuring day-to-day activities adhere to the board and senior
management’s requirements. These are set out in the business objectives and
compliance policy. Such requirements necessarily reflect the wider regulatory
objectives applicable to that firm as they encompass the regulatory expectations
applicable in the jurisdiction(s) in which the firm operates. They reflect the rules,
guidance, etc., of the relevant regulator(s). The existence of this approach on a
firm-by-firm basis, supported by solid procedures, systems and controls to ensure
compliance or action in the event of non-compliance, provides assurance to the
industry sector, to the jurisdiction within which the firm is based and to the financial
services industry collectively, of a genuine commitment to supporting the overall
regulatory objectives. Effectively, their existence supports the overall regulatory
approach deemed necessary for an effective financial services industry that inspires
confidence and trust. This then facilitates business in an environment that is viewed
as fair and open to all, with all the benefits this brings both internally within
individual organisations and generally outside of them. The Compliance Function
and Compliance personnel are central to this, encouraging continued commitment
to this important aspect of business and, in so doing, providing benefit to all
financial services stakeholders. Embedding effective attitudes towards compliance
within the culture of each firm supports this approach within individual businesses
which then, multiplied across each financial services sector and jurisdiction,
supports the underlying regulatory aims. Integrating effective compliance within
business is a vital step in supporting these regulatory ideals overall.
4.4 The overall benefits of both compliance

and Compliance
Rules, regulations and requirements were, of course, in place prior to the most recent
global financial crisis and as numerous scandals have unfolded across financial
services; they were also in place in some form during previous crises and series of
scandals, yet they didn’t prevent them occurring. In light of these events, regulatory
approaches continue to develop, with regulation and regulators themselves
adapting to take on board necessary changes and respond to challenges. The
regulatory environment has altered a great deal over recent years. The change in
focus as a result of this, with more emphasis on what regulatory requirements are
intended to achieve, is a positive step towards embedding effective behaviours
within business that allow the fundamental aspects of the overarching regulatory
principles to take precedence. It is these that should be central to the approach of
the Compliance Function within financial services.

The Compliance Function plays a pivotal role in financial services regulation. Notes
At a time of such significant change in the regulatory field, the part played by
Compliance in assisting businesses through difficult times is even more important
than ever. Those tasked with working in this key area of business or in supporting
their work will benefit from recognizing the many advantages to be gained from
adopting a positive stance in relation to this within our financial services industry;
putting compliance at the heart of business is vital to help ensure both regulated
firms and the regulatory environment is better placed to weather the financial
services storms that inevitably lie ahead.
Self Evaluation Question 16: In what way do the benefits of regulatory

compliance for a regulated firm reflect the benefits to the jurisdiction of having
regulated firms within it that meet the expected standards set by the regulator
prior to authorisation?
Self Evaluation Question 17: What impact will the recent regulatory change in
the UK have on the Compliance role?
Suggested reading:
1. Given the regulatory change in the UK earlier this decade, focus on the
Compliance role is even more timely, as emphasised in a speech75 made
in the final year of the former regulators operations which made clear that
the new regulatory approach would “represent a real challenge to firms
and compliance areas” not only due to the practical impact of having two
supervisory teams, but because the regulator is “looking for a more strategic
approach to how firms handle the conduct agenda and conduct risk” which
effectively means that they will “go well beyond the traditional control structure
in (their) work and compliance areas will need to adapt to this”. This makes clear
the pivotal role that this UK regulator expects the Compliance Function to
have within regulated firms going forward. Reflect on this and consider how
developments in the UK regulatory environment have impacted on the
Compliance role.
2. Locate and review the October 2016 paper issued by the UKs Banking
Standards Board (BSB) Exploring the role of professional bodies and
professional qualifications in the UK banking sector76
75 Speech by Clive Adamson, Director of Supervision, Conduct Business Unit, FSA

76 http://www.bankingstandardsboard.org.uk/wp-content/uploads/2016/10/160928-
Professionalism-in-banking-publication-FINAL-WEB.pdf

Notes Answers to Self Evaluation Questions – Unit 3

1. As with so many aspects of Compliance focus and activity, the stance taken
needs to be appropriate for the individual regulated firm. All of the topics
highlighted here are impacting the regulatory and compliance environment
to a greater or lesser degree. Decisions of this nature require awareness of and
consideration of the implications of a multitude of developments that impact
on the function and the firm.
2. There is much to think about on this topic. Can you see how the culture impacts
upon the way in which business is done within the organisation and the
attitude of staff towards it? Do you think the culture could be improved upon?
How might you go about this? With training perhaps? Consider what type of
training would be required and who would be involved? Also, do you know
whether your firm has a Code of Conduct? This is a useful means of setting
out the company position on ethical policy, accepted business practices and
business principles generally, essentially making clear their attitude towards
issues of this nature and their expectations of behaviour both of the business
transacted and of its employees. Its exact content and composition will vary
depending on the firm.
3. If the Code of Conduct is drafted in a manner which clearly endorses the role of
the function in helping the business to meet its overall objectives and, within
its wording, makes clear that the board and senior management view such
matters as an important element of the organisation’s fundamental business
principles, this will support the Compliance Function in their activities and help
embed an effective compliance culture, an environment where regulatory
compliance is understood and its benefits recognised.
4. Key aims of the corporate governance requirements are establishing a set of
corporate values and both setting and enforcing clear lines of responsibility and
accountability within the organisation. The internal audit function evaluates
the effectives of the bank’s internal control, risk management and governance
process. The role of the Compliance Function is to help manage the firm’s
compliance risk.
5. All risk assurance activities work towards achievement of the following aims:
• Commitment of all functions and all parties, from the board downwards
• This commitment being embedded within the firm’s strategy and code of
conduct
• Communication of this commitment throughout the business
• Clear objectives
• Clear accountability
• Reporting on achievement of objectives
• Action if objectives are not achieved – remedial action or a change in
approach
• Feedback to all, from the board downwards.
6. To a large degree, this will depend upon the nature of the business, but
key relationships to prioritise internally would be: the board and senior
management, the heads of other assurance functions and the heads of business
units.

7. Select from external relationships such as: Notes

• The regulator
• Customers
• External assurance bodies (lawyers and auditors)
• Financial crime units
• Law enforcement agencies (police and customs)
• Trade associations
• Professional bodies (such as compliance associations, industry bodies
linked to products or services central to the business)
The benefits of developing key external relationships essentially reflect those
that apply to internal relationships, i.e., strong communication links lead to
mutually increased awareness, understanding and appreciation of each other’s
roles. These relationships also help the Compliance Function to remain abreast
of current and potential developments, ensuring they remain current in their
knowledge and understanding of the wider compliance environment, which in
turn impacts upon their focus and approach within their compliance role.
8. All of those with whom the Compliance Function should have an effective
relationship should be involved, as they all have a role to play in endorsing the
activities of Compliance and “selling” the benefit of these to the business:
• The board and senior management, including non-executives
• Other assurance functions (e.g. internal audit, legal, risk plus, if part of a
wider group, the other Compliance Functions)
• Operational business units and staff (for example, line managers of
key delivery areas such as those involved in sales; product and service
development managers; HR; training; etc.)
9. Whilst working independently of each other, there should be an element of liaison
between each area to avoid problems for the business such as, but not limited to:
• Duplicating focus on particular areas at the expense of others – from a
risk based perspective, it makes sense for the firm to focus its attention on
high priority issues; utilising Compliance and Internal Audit resources in a
complementary fashion would allow the business to undertake a greater
spread of reviews and focus on more issues, thus gaining more insight into
business activities
• Putting unneeded pressure on business units – without co-ordination it
might be that a business unit is receiving focus from both the Compliance
and the internal audit functions at the same time or directly following on
from focus by the other, with a significant impact on resource for that unit
in terms of time and productivity. Co-ordinating the focus would help
smooth this issue, enhancing the opinion of the business units about how
business aware the assurance functions are
• Duplication of effort – there might be information emanating from either
Internal Audit or the Compliance Functions that might be beneficial to the
other, or vice versa. Sharing of appropriate information may benefit the
business overall and reduce resourcing needs
10. A focus on integrity, at the level of the individual, the business and indeed the
jurisdiction, is vital in supporting one of the main objectives of financial services
regulation: maintaining confidence. Financial services are built on confidence and
trust, with participants needing to have both in sufficient quantities before being
willing to partake in it: experience has shown what happens when confidence
and trust falter, with the events of the recent credit crises being a case in point.

Notes 11. Ethics and integrity are important within financial services as they are necessary
for the achievement of the main regulatory objectives. Reputation is vital for
all concerned. Even if an individual is not a direct participant in the financial
services marketplace, they are affected by it indirectly in a number of ways
and having integrity and ethical behaviour as central components within that
market place has wider implications for all.
12. The following extract from the FSA’s An Ethical Framework for Financial Services
provides a useful overview of the interrelation of these topics:
Values and culture of firms Regulatory relationship

Minimum standards Policing
• Unthinking, mechanical • Monitoring boundaries
compliance • Detecting and responding to
• Does as little as can get away crises
with • Enforcement ‘lessons’
• Culture of dependency • Basic training
• Tries to abdicate decisions and
Supervising / educating
responsibilities
• Developing ethics and
Compliance culture competence
• Reliant on guidance • Looking for early warning signs
• By the book • Early action to bounce firms
• Unaware of some risks back on track
• Bureaucratic • Themed /focused visits
Beyond compliance Educating / consulting
• Risk focused, self policing • Facilitating the development of
• ‘Buying in’ at senior level competence and culture
• Ethos integrated into most • Values scorecard
business processes • Lighter touch
• Ethos seen as assisting business
Mature relationship/
Values-led business benchmarking
• Reinforce good practice
• Internalise ethos of core values • Lead by example
• Spirit not just letter • Re-allocate resources to
• Values focused, goes beyond problem firms
rules, not just compliance • Sustainable regulation
• Well developed individual
responsibility and a sense of
involvement by (all) staff
• Focus on prevention
• Continued reassessment and
improvement of approach
• Awareness and discussion of
ethical considerations at senior
and all levels
• Open relationships
• Strong learning
13. Via communication, either directly via training and relationship management
or written via the compliance policy plus the procedures and activities that
support them.

14. In the same way firms suffer for being non-compliant, the non-compliant Notes
behaviour of those firms will have a pervasive effect on the regulatory
environment as a whole, for example:
• Impact on the reputation of the jurisdiction
• loss of business, as compliant businesses will be concerned about doing
business there
• Increased likelihood of the jurisdiction being targeted by those interested
in financial crime, which in turn would impact further on the jurisdiction’s
reputation.
15. A firm intending to carry out regulated activities within the UK must be
authorised by the relevant regulator or be exempt in accordance with the
regulations. When authorising a firm, the regulators will assess a number of
factors in an attempt to ensure that the firm will not present a challenge to that
regulator achieving their own statutory objectives, i.e. that any newly authorised
firm will meet certain conditions intended to support the UK financial system,
act in a manner encouraging confidence in the UK marketplace, contribute an
appropriate degree of protection for consumers and not be used in connection
with financial crime.
Each regulator will therefore undertake a “risk assessment” of the firm applying
for authorisation, using an approach called the Firm Risk Assessment Framework
and in doing so will consider a number of factors, one of which will include
assessing whether the firm is “fit and proper” to undertake business in the
jurisdiction. This encompasses the requirements set out under the Principles
for Business (PRIN) in the FCA Handbook, which themselves should underpin
the approach of the firm’s board and senior management in relation to key
activities, including adherence to regulatory requirements. The Compliance
culture supports this.
16. This can be summed up in a single word: reputation. Ensuring regulatory
compliance is a priority within a regulated business enhances that firm’s
reputation with the regulator, whilst having regulated firms that meet the
standards set by the regulator – both initially and on an ongoing basis –
enhances the reputation of that jurisdiction in the eyes of all stakeholders and
indeed the wider world.
17. The Compliance role will become even more important, as emphasised in a
speech77 which made clear that the new regulatory approach would “represent
a real challenge to firms and compliance areas” not only due to the practical
impact of having two supervisory teams, but because the regulator is “looking
for a more strategic approach to how firms handle the conduct agenda and conduct
risk” which effectively means that they will “go well beyond the traditional
control structure in (their) work and compliance areas will need to adapt to this”.
This makes clear the pivotal role that this UK regulator expects the Compliance
Function to have within regulated firms going forward.
77 Speech by Clive Adamson, Director of Supervision, Conduct Business Unit, FSA

Notes Bibliography/References
Armour, J., D. Awrey, P. Davies, L. Enriques, J. Gordon, C. Mayer, and J. Payne
Principles of Financial Regulation, 2016, Oxford
BCBS, Compliance and the Compliance Function in Banks, 2005
Black, J., The Development of Risk Based Regulation in Financial Services: Canada,
the UK and Australia, A Research Report, 2004, ESRC
Black, J. The Rise, Fall and Fate of Principles Based Regulation, LSE Law, Society and
Economy Working Papers 17/2010
Bonime-Blanc, A., The Reputation Risk Handbook: Surviving and Thriving in the Age
of Hyper-Transparency, DO Sustainability, Oxford, UK, 2015
Brunnermeier, M.K., Crocket, A., Goodhart, C., Persaud, A. and Shin, H. The
Fundamental Principles of Financial Regulation, 2009
BSI, Compliance Framework for regulated financial services firms, 2011
Cooper, J., The integration of financial regulatory authorities –
the Australian experience, 2006
ESMA, Guidelines on certain aspects of the MiFID Compliance Function requirements,
July 2012
Goodhart, C.A.E. The boundary problem in (financial) regulation, 2008, National
Institute Economic Review, 206, pp.48-55
Heady, C, and Myles, G.D., Incentivising Compliance with Financial Regulation, 2016,
FCA Occasional Paper 25
IOSCO, The Function of Compliance Officer, 2003
IOSCO, Compliance Function at Market Intermediaries, March 2006
ISO, Compliance management systems, 2014
Levine, R., The Governance of Financial Regulation: Reform Lessons from the Recent
Crisis, 2012, International Review of Finance, 12(1), pp. 39–56
Llewellyn, D., The Economic Rationale for Regulation78, FSA Occasional Paper
Series 1, 1999
Mehran, H., Morrison, A. and Shapiro, J. Corporate Governance and Banks: What
Have We Learned from the Financial Crisis? Federal Reserve Bank of New York Staff
Reports, 2011, no. 502
Mehran, H., Introduction and Appendix to Behavioral Risk Management in the
Financial Services Industry: The Role of Culture, Governance, and Financial Reporting,
2016, Economic Policy Review, Issue Aug, pp. 1-2, 2016
Tansy-Martens, L., Good Practice Guide: Globalising your ethics programme,
2010, IBE
Taylor, M. W The Road From “Twin Peaks” – And The Way Back. 2009
pubs/occpapers/OP01.pdf

Financial Services Compliance Unit 3 - BB

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Financial Services Compliance Unit 3 - BB

Uploaded by

Copyright:

Available Formats

Bangor Business School

About this study guide

Financial Services Compliance Unit 3

1.0 The Changing Regulatory Compliance Environment 1

2.0 Building an effective compliance culture 10

3.0 Developing the Culture of Compliance 14

4.0 The value of an effective Compliance Function 25

Answers to Self Evaluation Questions 31

Financial Services Compliance Unit 3

Notes Unit 3 – Integrated compliance

1.0 The changing regulatory compliance

1 Financial Services Compliance Unit 3 0419

0419 Financial Services Compliance Unit 3 2

3 Financial Services Compliance Unit 3 0419

0419 Financial Services Compliance Unit 3 4

5 Financial Services Compliance Unit 3 0419

0419 Financial Services Compliance Unit 3 6

Notes • Personal accountability – A recurring theme, personal accountability is

25 Refer to US Securities and Exchange website

7 Financial Services Compliance Unit 3 0419

0419 Financial Services Compliance Unit 3 8

9 Financial Services Compliance Unit 3 0419

2.0 Building an effective compliance Notes

0419 Financial Services Compliance Unit 3 10

Notes 2.1 Why compliance culture is important

2.2 Moving beyond compliance

2.3 Accountability and Responsibility

11 Financial Services Compliance Unit 3 0419

0419 Financial Services Compliance Unit 3 12

13 Financial Services Compliance Unit 3 0419

3.0 Developing the culture of compliance Notes

3.1 Interrelationship of assurance functions

0419 Financial Services Compliance Unit 3 14

15 Financial Services Compliance Unit 3 0419

3.2 Relationship Development Notes

3.2.1 Internal Relationships

0419 Financial Services Compliance Unit 3 16

Self Evaluation Question 6: Imagine you have recently been appointed to a

17 Financial Services Compliance Unit 3 0419

Suggested reading Notes

0419 Financial Services Compliance Unit 3 18

Notes 3.2.2 External Relationships

3.2.3 When things go wrong

Self Evaluation Question 7: Imagine you have recently been appointed to a

19 Financial Services Compliance Unit 3 0419

3.3 Hurdles to Effectiveness Notes

0419 Financial Services Compliance Unit 3 20

21 Financial Services Compliance Unit 3 0419

3.4 Links between Compliance, Integrity,

0419 Financial Services Compliance Unit 3 22

23 Financial Services Compliance Unit 3 0419

0419 Financial Services Compliance Unit 3 24

Notes 4.0 The value of an effective Compliance

4.1 Business benefits

25 Financial Services Compliance Unit 3 0419

0419 Financial Services Compliance Unit 3 26

27 Financial Services Compliance Unit 3 0419

4.2 Benefits beyond individual firms Notes

Self Evaluation Question 14: Consider the costs of non-compliance. Provide

0419 Financial Services Compliance Unit 3 28

Notes 4.3 Harnessing the benefits of integrated