Ten things UK/EU compliance officers must do in 2012
By Susannah Hammond
LONDON, Jan. 9 (Thomson Reuters Accelus) – This year will be a year of clarifying, evaluating and beginning to implement the practical detail that underpins the sweep of regulatory change due in 2012 and beyond. The changes are not limited to the rulebooks but encompass the regulatory bodies, required structural changes (to banks in particular), the identification of systemic financial services firms and, last but not least, changes to the regulatory perimeter.
Last year saw compliance officers undertake fundamental regulatory reviews and maintenance, as well as ensure the map of their businesses and employees was accurate and that there were effective mechanisms in place to keep it up to date.
The strategic success for a firm faced with the changes due in 2012 will depend on the strength of the foundations on which it is built. As all experienced compliance officers know, one cannot implement change if one does not have an accurate map to build on. Here are 10 things that compliance officers must consider in 2012.
1. Know who is going to regulate you
For some firms the answer may well appear to be both self-evident and unchanged, but there are numerous changes ahead both for individual jurisdictions and on an extra-territorial basis.
In the UK for instance there is the well-publicised split up of the Financial Services Authority (FSA). Firms should have already begun to assess whether they are to be regulated by the Prudential Regulatory Authority (PRA) as well as the Financial Conduct Authority (FCA).
The precise implications, approach and accountabilities of the new UK regulators are still being finalised. It is, however, essential that all firms operating in the UK have a thorough understanding of exactly which body will be regulating which elements of their business, and build knowledge and relationships accordingly.
In 2012 and beyond many firms will also fall under the ambit of the US Internal Revenue Service with the introduction of the Foreign Account Tax Compliance Act (FATCA) due (at least in part) in 2013. FATCA has extra-territorial scope and covers any US national’s account or assets, no matter where in the world they are based. Some firms have already chosen to turn US nationals away as customers, but that does not alter the fact that the IRS’s regulatory reach will soon become global.
Regulation is not just a matter of supervision but also of policy making. All firms should be aware that more and more policy is going to be developed by the Financial Stability Board (FSB), which was granted yet more powers, resources and influence by the last G20 summit.
Similarly all EU firms should follow the technical standards and other policy statements beginning to flow from the European Supervisory Authorities. The European Securities and Markets Authority (ESMA) looks to have a particularly busy 2012 and the creation of binding technical standards to implement regulations will be the last chance that firms have to influence the regulatory requirements.
2. Reassessment of compliance function procedures
By necessity there has been a huge recent external focus for all firms as they navigate through the aftermath of the financial crisis. Compliance functions, however, need to ensure that their own internal policies and procedures remain fit for purpose. More than one global firm has tripped over the need for compliance functions to ensure that adherence to local regulatory expectations comes before adherence to the group internal compliance approach.
Issues have arisen in two main areas. First, there is a presumption that at least some rules and requirements that affect the overseas office will be the same as those that apply to the head office; it is incumbent on all firms to ensure that they are fully aware of all relevant regulatory requirements in each jurisdiction in which they operate and that they can demonstrate full compliance with those requirements. Nothing irritates regulators of subsidiaries more than to find a firm blindly complying with head office rules and ignoring those of its local jurisdiction.
The other area where firms need to ensure internal compliance procedures are fit for purpose is investigations. This is a much more thorny area as legal and regulatory practices and expectations can vary significantly and, for a multi-jurisdictional investigation, there are often no precedents or specific rules covering the protocol.
That said, all global firms should be visibly sensitive to any potentially conflicting international regulatory expectations — an internal approach which would be appropriate in one jurisdiction could put the firm into enforcement in another.
3. Corporate governance
Following the global review and revamp of prudential requirements is a focus on the need to improve the quality of corporate governance operating within firms. This focus is not limited to banks but is a regulatory shift towards increasing the quality of corporate governance, as well as improving supervision and oversight. An example of the shifting focus and change in regulatory expectation is highlighted in the FSA’s report report on the failure of the Royal Bank of Scotland, which states that one of the main reasons for the failure was poor decision making by the board.
All firms should take the FSA’s list of contributory factors as a warning of what to avoid including, in particular, deficiencies in management capabilities and approach, and poor governance arrangements which failed to provide the required checks, balances and oversight. Compliance officers must ensure that the functionality of their firm’s corporate governance is sufficiently effective, all senior managers (including non-executive directors) understand and are able to explain their role and obligations in the governance framework and, perhaps most critically of all, that the entire approach to and outputs from corporate governance are coherently and consistently evidenced.
This is no small task given the profound challenges involved in unambiguously documenting qualitative (as opposed to quantitative) issues.
4. Management information
Good management information (MI) is the lifeblood of any firm. It is a key component of effective corporate governance, enables good business and strategic decisions to be taken, and gives management line of sight to the practical realities of what is happening in a business and how the firm is treating its customers.
There are many facets to MI, all of which need to remain under constant review. The compliance function should take a particular interest in both the overall systems and controls around MI and the specifics of risk reporting. A vital element in 2012 will be an increased need for a comprehensive suite of MI designed to assess how conduct risks are being managed.
There are several drivers for this, with the revamp of Basel, implementation of Solvency II and, in the UK, the creation of the FCA, all of which increase regulatory expectations for senior managers to track, monitor and mitigate conduct risks. In the UK there has been a recent swathe of fines for firms that failed in their suitability obligations towards their customers. A common thread running throughout these actions was the lack of good quality MI to inform managers of the issues.
Compliance officers need to play a central role in the design and maintenance of high-quality risk and compliance MI to ensure that senior managers are fully informed of any and all conduct risks arising. Given the increased focus on conduct risks, firms may wish to split out the MI arising from the analysis of proposed regulatory changes.
The boards of all financial services firms around the world must be kept informed of any and all regulatory changes which could affect their firm. It may help to maintain the focus on regulatory change if compliance officers develop a separate reporting pack devoted to the evaluation of changing regulation.
5. Board training and awareness
Sitting alongside the ongoing review of MI and the need for documented continuous improvement in corporate governance is the requirement for increased board training and awareness. Last year saw many senior individuals held to personal account for regulatory failings. Regulators around the world are making it clear that the boards of financial services firms should be seen to be accountable for the actions or inactions of their firm.
In practice the best support a compliance function can give its board is to ensure it has the risk and compliance skills needed to discharge its personal and collective accountabilities. In the UK for instance the FSA has publishedguidance consultation (open for comments until January 18, 2012) on its expectations of non-executive directors in managing risks to retail customers. It is incumbent on compliance officers to ensure that the non-executive directors of their firm are made aware of the consultation and invited to contribute to the firm’s response.
As always, all board training should include an update on the likely impact of the proposed regulatory changes and should be comprehensively evidenced.
6. Data protection
All firms, whether financial services institutions or not, must consider their data protection arrangements in 2012.
In the European Union a new draft data protection regulation (as opposed to a directive) is due out at the end of January. This will require careful consideration by all those who either operate in or deal with Europe. Financial services firms can be holders of large quantities of potentially sensitive personal information and are required to have appropriate systems and controls to ensure that it is kept safely and used appropriately. The EU proposals are likely to contain concepts such as the “right to be forgotten” together with the potential for fines up to 5 percent of global turnover for serious data protection breaches.
The oversight of data protection within a firm often falls to the compliance officer, but wherever it sits the compliance function should ensure that appropriate, tested systems and controls are in place and that a strong working relationship has been built with each jurisdiction’s data protection regulator. This may well be particularly useful when the firm is considering the implications of the FATCA requirements which, at first glance, would appear to be in conflict with some data protection regimes.
7. Regulatory perimeter
It is not just the existing rules that will continue to evolve in 2012. There will also be changes to the types of activities that will become regulated. Last year saw the regulatory perimeter widen to include credit rating agencies and more hedge fund activities. This year is likely to see shadow banking and payments services begin to be included.
The FSB is working on the issues arising from the shadow banking system which it has described broadly as “credit intermediation involving entities and activities outside the regular banking system”. The G20 has endorsed the FSB’s approach and the compliance officer of any firm that is involved in, or interacts with, shadow banking should track closely the developing regulatory regime.
There is a similar approach towards payments services. The infrastructure of payment services is perceived as being systemically important and consideration is being given as to how best to regulate the sector to ensure its continuing effectiveness.
In the UK the government has stated as part of its response to the Independent Commission on Banking (ICB) that more needs to be done to bring the Payments Council within the scope of financial regulation, taking into account the relationship between the Payments Council, its members and inter-bank payment systems. HM Treasury intends to publish a consultation on the number of options that are being developed, including options for creating a regulatory structure for the Payments Council and the inter-bank payments regime, early in 2012. All firms use payments services of one form or another and so will need to consider the implications of the changes.
8. Recovery and restitution plans
So far “living wills” (designed to help ensure the orderly failure of a troubled firm) are only compulsory for large banks but all the indications are that they will become the norm for all firms of any size. The FSB is to add other financial services sector firms to its globally systemic list. It has already stated that recovery and restitution plans will be a main element of the extended regulatory regime to be implemented for any firm deemed to be internationally systemic.
Similarly national regulators are considering living wills for firms that are nationally systemic. Compliance officers will need to consider, and prepare senior managers for, the likely “what if” questions from their regulators. Some of the elements of any living will come from the stress and scenario testing already undertaken by firms as part of business as usual. The ongoing global economic uncertainties, however, mean that the breadth of the testing should remain under review.
9. Compliance skills and resources.
Compliance officers will be well aware of the sheer sweep of regulatory changes proposed worldwide. With 2012 underway firms should as a matter of urgency review all compliance resources and skills to ensure they have the capacity and capability to successfully handle both the critical assessment of all relevant change proposals and the oversight of the implementation and embedding of any new requirements.
Any training required should be undertaken as soon as possible, but even more important may be the need to recruit more strength in depth skills. As has been shown time and again investment in good compliance skills is not optional if a firm wishes to thrive in the longer term.
It is more than likely that, as 2012 progresses, strong compliance skills will become even more valuable and scarce as firms reassess their needs and the new regulatory bodies continue to recruit. Firms would be very well advised to identify any gaps in their compliance skills as a priority, secure the resource commitments and then recruit as quickly as possible.
10. Take a step back
Last, but not least, is the perennial challenge for compliance officers to take a “stand back” look at their firm. Compliance officers need to ensure that they can take the time to step away from the day-to-day activities of their function and assess the regulatory risk management of their firm as a whole.
There are certainly elements of this which can usefully be done in conjunction with the leaders of the other risk functions, but a regular holistic or helicopter assessment of the overall management of regulatory risks within the firm can be invaluable to ensure that best use is made of the compliance resources available.
((Susannah Hammond is a regulatory intelligence expert for the Compliance Complete service of Thomson Reuters Accelus. The article first appeared in Compliance Complete, and the views expressed are her own. Compliance Complete (http://accelus.thomsonreuters.com/solutions/regulatory-intelligence/compliance-complete/) provides a single source for regulatory news, analysis, rules and developments, with global coverage of more tha 230 regulators and exchanges))