Ten things compliance officers need to do in 2017

Published 11-Jan-2017 by Susannah Hammond, Thomson Reuters Regulatory Intelligence

2016 started benignly for firms and their compliance officers. The end was both clear and in sight for many of the big regulatory reforms offering the future possibility of a risk and compliance agenda not dominated by significant change programmes. The potential for firms to innovate rather than have their entire IT change capacity absorbed by the ramifications of rule changes appeared to be in sight.

2017 looks different. A combination of Brexit, a Trump presidency and the rescheduling of a number of EU reforms has put regulatory change and uncertainty back into the spotlight. Super-size fines have returned too. The penalties imposed following the crisis had been seen to have begun to decline as regulators sought more diverse ways of implementing credible deterrence and to increase the potential for senior individual liability.

Toward the end of 2016, however, huge fines were again making headlines as enforcement action for the mis-selling of mortgage-backed securities (MBS) continued in the United States with settlements for Deutsche and Credit Suisse totalling $12.5 billion.

The MBS actions, which have included JPMorgan, Goldman Sachs, Morgan Stanley, Bank of America and Citi, are far from over. Further penalties are expected to be imposed on firms such as RBS and Barclays, which has chosen not to settle with the U.S. Department of Justice, and is taking the matter to court.

Firms and their compliance officers now face considerable change, and regulators appear determined to use an increasingly wide range of sanctions to drive home the need for effective compliance and the resulting good customer outcomes. There is a danger of fatigue, which will perhaps be further enhanced by the evolving regulatory expectations concerning culture and conduct risk.

Boards have always had to multitask but a crucial skill remains the ability to balance commercial and compliance demands to allow for business improvement and development rather than having all change capacity and capability taken up by regulatory issues. Uncertainty presents opportunities and firms should seek to influence their futures rather than watching the rulebooks change.

Compliance officers will need to be front and centre to give their firms the best chance of a trouble-free 2017. There is a range of problems which all compliance officers, no matter the size, jurisdiction or sector of their firm, must consider. In no particular order these are:

1) Preparing for uncertainty

Regulatory uncertainty has several ramifications for compliance officers. First, they will need to be clear future uncertainty does not make the existing rulebook any less valid. Regulators are likely to use any policy hiatus to increase their supervision efforts and so firms should expect enhanced scrutiny of their ability to evidence compliant activities, particularly with regard to stated supervisory priorities such as the appropriate treatment of vulnerable customers and the implementation of culture and conduct risk policies.

A double check on existing compliance is also a good means of ensuring that any future change is built on strong foundations as well as acting as a refresher for senior managers as to the state of risk management in the business. The reporting and discussion of risk management could be used as the basis for developing a lobbying strategy on potential regulatory change.

Firms, with express compliance officer involvement, need to think through the implications for their own businesses of any possible changes, and then take senior-level decisions as to what good looks like for their businesses. "Good" in this sense could include a scenario which is neutral for the firm itself but potentially a significant threat for its competitors. Equally, if a possible threat is bad for the firm it might end up being worse for competitors, leaving the firm in a relatively better position.

Whatever strategy is agreed, firms should be prepared to engage with policymakers to try to influence future policy. It is in no one's interest to have poor-quality legislation or guidance.

2) Cyber resilience

For many compliance officers it must feel as though the boundaries of their roles and of what is or is not deemed to be of interest to the compliance function, has done nothing but grow in recent years. The perimeter of today's compliance officer job description is much more nebulous and is driven by developing regulatory expectations regarding good customer outcomes, culture and conduct risk.

Good customer outcomes will be under threat should cyber resilience fail. Compliance officers do not need to become technological experts but do need to ensure that cyber risks are identified, managed, mitigated, monitored and reported on within their firm's corporate governance framework. One quick win would be to ensure cyber risks are included in the range of risks considered and that the board is prepared to discuss the actions taken to ensure everything possible has been done to embed cyber resilience throughout the firm.

Much of the best practice policy advice has shown that simple defence measures, done well, are effective against all but the most sophisticated and determined cyber attacks. Policy advice is starting to be codified into regulatory requirements with the New York Department of Financial Services requiring firms from March 2017 to establish and maintain cyber security programmes designed specifically to protect consumers and ensure the safety of New York State's financial services industry. Firms will be expected to tailor cyber security plans to any weaknesses highlighted in their risk assessments, to report cyber security events, to file copies of their updated security plans each year and to designate a chief information security officer.

3) Outsourcing

Compliance officers must be involved in the oversight of all significant outsourcing arrangements, none more so that when it is part of the compliance functionality which is to be outsourced. Outsourcing can be an efficient and cost-effective way to supplement in-house resources, but it must be delivered appropriately to be of benefit.

Outsourcing has come to the fore for all the wrong reasons in previous years, with Western Union in Eire and Raphael & Sons in the UK both being sanctioned for specific outsourcing failures, and in the United States a risk alert was issued warning of the dangers of outsourcing compliance. This focus led Thomson Reuters to include a question in its Cost of Compliance Survey 2016, and 25 percent of firms responded that they outsourced some or all of their compliance functionality.

There were two main influences: the need for additional assurance on compliance processes and, of potentially greater concern, a lack of in-house compliance skills. The range of activities which compliance functions are now expected to perform may be an underlying reason for the dearth of skills in-house.

While it is good compliance functions have recognised a skills gap, firms need to keep the balance between in-house expertise and any outsourcing under review. It is critical firms continue to invest in all aspects of their risk and compliance infrastructure.

The golden rule for successful outsourcing is that while activities can be moved to a different group, company, or a third party, the skills to manage those activities must be retained in-house. This may be less obvious in an intra-group outsourcing scenario but for a separate legal entity with a separate licence, it is essential. If there is a branch or other structure involved, then the firm needs to consider the efficacy of the outsourcing arrangements and the skills, governance and local responsibilities of the branch.

Risk, compliance and internal audit functions should include outsourcing in all their monitoring plans. Elements to consider for testing are:

4) Culture, conduct risk and compensation

In previous years regulators have focused on conduct risk. This has now morphed into a near-universal expectation that firms must consider how culture and conduct risk affect every aspect of their operations. In practical terms, this has led to a greater focus on compensation practices. As William Dudley, president and CEO of the Federal Reserve Bank of New York, said: "To put it very simply, incentives drive behavior, and behavior establishes the social norms that drive culture. If the incentives are wrong and accountability is weak, we will get bad behavior and cultures."

Dudley's comments pick up on the FSB's broader review of conduct, as part of which it hosted a roundtable to share experiences on the use of compensation tools to address misconduct in banks. Although the roundtable focused on banks it was also relevant for the compliance officers of other firms. Participants recognised compensation and conduct were directly linked and were increasingly looking to manage conduct via compensation tools both ex ante (explicit performance targets and encouragement of positive behaviour) and ex post (ensuring appropriate consequences for poor behaviour). They also acknowledged that the use of compensation tools to drive good compliance outcomes should not be overemphasised.

More generally, banks were keen to turn values into actions and ensure lines of business "owned" conduct risk. Many banks use their codes of conduct to set the framework for expected behaviour, and to outline their expectations about roles and responsibilities. Performance objectives are increasingly linked to the values or ethics reflected in codes, and there is more emphasis on related assessments of risk management and conduct in year-end performance assessments. Importantly, there is also recognition that other values may pull away from these goals; for instance, conduct and profitability drivers may clash.

Other points included the importance of "tone from the top" in signalling where to place the balance between performance and customer and counterparty interests and the need to allow time to embed already issued regulations and guidance.

A number of firms said they would welcome more guidance from regulators on "what good looks like" and would welcome initiatives such as further roundtables to share examples of better practice. Supervisors are seen as playing an important role in identifying better practices, conveying them to the industry and promoting consistency across markets. Compliance officers need to ensure they stay in touch with developments on compensation practices and ensure that their monitoring programs encompass all aspects of incentives in their firm.

5) Regtech

The scope of technological innovation is beginning to change the marketplace, and fintech has the potential to compete with, and enhance, existing financial services offerings. Thomson Reuters Regulatory Intelligence undertook a review of fintech, regtech and the specific expectations on the role of the compliance function following the findings of the Cost of Compliance Report 2016, which suggested technology presented a bigger challenge for compliance than ever before.

Regulators will expect firms to make best use of fintech. Compliance functions are likely to come under scrutiny if they are not seen to be considering and deploying regtech solutions to aid regulatory risk management. The industry is in danger of becoming fragmented, with those firms whose risk and compliance functions have fully engaged with fintech (21 percent) at one end of the spectrum and, at the other, the 16 percent of risk and compliance practitioners who reported they did not need to be involved with assessing the implications of fintech.

The significant differentiating factor may be skills combined with a need to revamp older, disparate IT systems. Firms (and regulators) would be well-advised to undertake an IT skills audit that highlights and begins to remediate any gaps. Such an audit would also need to ensure the firm is prepared when regulators ask about skills at board and other levels, and about the potential (over)use of consultants.

The audit should cover technological skills throughout the firm, not just in the IT department, to ensure all functions (risk, compliance and internal audit included) have the appropriate levels of IT expertise for their roles.

The need to revamp IT skills and systems may well require substantial investment. The wide spread of budgetary expectations revealed by the report highlighted the differences, with respondents reporting that although almost a quarter (24 percent) lacked a budget for regtech, a third (35 percent) expected the budget for regtech solutions would grow in the coming year.

Insufficient investment in technology and associated skills will leave firms and their compliance functions without the infrastructure to thrive into the medium to long term and, specifically, the compliance function will be unable to reap the benefits of regtech.

6) Data protection

In financial services firms data protection is often part the compliance function's remit. The profile of data protection is set to rise with the changes emerging from Europe which will have international implications. Specifically, the General Data Protection Regulation (GDPR) will enter into force on May 25, 2018 and is aimed at strengthening and unifying data protection for EU citizens.

An important feature of the new regulation is enhanced rights and protections for individuals including an enhanced "right to be forgotten" and the need for unambiguous and/or explicit consents for the use of personal data. Firms should consider reviewing their approach to, and evidence for, good data protection to ensure they have a solid base from which to consider any systems or other changes required by the regulation. The GDPR takes the regulatory focus on data protection to the next level with the potential for fines of up to 4 percent of global annual turnover.

Early indications from the UK Information Commissioner's Office are that GDPR will be implemented in the UK irrespective of Brexit.

7) De-risking

De-risking can be seen as a side-effect of greater regulatory intrusiveness combined with the more stringent approach to enforcement. Firms are reviewing their business models and activities and choosing to divest themselves of anything perceived as carrying too much regulatory or other risk. De-risking is widespread, with HSBC reported to have withdrawn from or disposed of 74 businesses since 2011, all of which were considered, particularly in the light of U.S. enforcement action, to be too risky. One example is the impact on correspondent banking which is seen as an essential component of the payment system, especially for cross-border transactions.

Banks have traditionally maintained a broad network of correspondent relationships, but there are growing indications that firms are cutting back the number of relationships they maintain and are establishing fewer new ones. The main reason appears to be the uncertainty about how far customer due diligence should go to ensure regulatory compliance — in effect, to what practical extent banks need to know their customers' customers (KYCC). As a result correspondent banking has been subject to de-risking with the associated withdrawal of services which:

8) Management information

Reporting, both internally and externally, is an essential part of the compliance function. Done well, it provides a critical information flow which evidences a compliant, risk-aware business. Done badly, it creates huge problems and provides a signal for regulators to initiate a wider investigation of the firm's activities and potentially even enforcement action.

The greater focus on culture and conduct risk combined with the heightened personal liability have driven the need for boards and senior managers to have a clearer understanding of risk management and compliance which, in turn, is likely to drive improvements in management information and internal reporting. High-quality information is also critical to ensure senior individuals are in a position to discuss risks and their management with regulators.

Compliance officers should review all risk and compliance management information, the efficacy of its sources and any inherent assumptions, as well as the clarity and consistency of internal and external reporting. Good management information is the lifeblood of any firm and will become even more important given the need for firms to evidence they and their senior managers have done all of the right things in all of the right ways.

Compliance officers might also consider the potential to combine reporting at the highest level of the firm so that compliance, risk, internal audit and legal present a single coherent view on the state of risk management to the board.

9) Financial crime

The downsides to getting things wrong in money laundering, know-your-customer, ultimate beneficial ownership and sanctions have become so expensive that many firms have created separate specialist functions to manage the risks. However a firm chooses to organise its approach to the prevention of financial crime, the compliance function needs to remain involved given the links to regulatory risk. Many firms will have reviewed their approach to financial crime and beneficial ownership in particular following both the Panama Papers revelations and the Financial Action Task Force post-visit reports on Canada and the United States.

While any regulatory changes to implement the FATF recommendations in North America are awaited, in Europe the Fourth Money Laundering Directive will take effect from June 2017 with changes to beneficial ownership, customer due diligence, the risk-based approach and politically exposed persons.

As part of the overall approach to risk management in the firm compliance officers may wish to consider conducting pre-emptive reviews of their approach to, and ability to evidence compliance with, all aspects of AML/CTF, bribery, corruption, fraud prevention and sanctions requirements. For example, they might undertake specific regular financial crime risk assessments which are judgement-based and aim to highlight risk areas, determine how well the risks are being managed, and hence provide the basis for a risk-based allocation of resources to the highest-risk areas as well as providing the basis for remedial and other risk mitigation plans.

10) Personal liability

Lastly, there is the question of personal liability for compliance officers. The Cost of Compliance 2016 report showed personal liability to be a perennial worry for compliance officers with 60 percent of respondents (59 percent in 2015) expecting the personal liability of compliance officers to increase in the next 12 months, and 16 percent expecting a significant increase. The situation is more acute among global systemically important financial institutions, where 27 percent expected a significant increase in personal liability in 2016.

Regulators have made clear the rationale behind their drive to hold individuals to account. The impact on the cost of compliance and whether it makes it harder to recruit individuals to higher-stakes compliance roles remains to be seen. Greater personal liability is a reality in many jurisdictions. In theory, individuals could already have routinely been held accountable but it was often simpler, quicker and easier for regulators to pursue firms. As a result, regulators have themselves been criticised for not disciplining senior individuals for failings which contributed to the financial crisis.

The intention is not to necessarily increase levels of enforcement but rather to encourage improved risk-awareness, leading to more consistently good customer outcomes. One of the most challenging methods employed by regulators is the use of personal attestations, which are seen as a good way to focus senior managers' attention. If the signatory either fails to give the required attestation or a compliance breach is found in the attested area, it should be a straightforward matter to pursue enforcement against the senior manager involved.

The UK has perhaps taken the most decisive steps toward changing expectations of senior managers. Since March 2016, banks and the largest asset managers (UK Prudential Regulation Authority-designated investment firms) have been subject to the new Certification and Senior Managers Regime, which requires firms to allocate prescribed responsibilities to individuals and document the accountabilities in formal "responsibilities maps". The regime is due to be rolled out to all UK-regulated firms in 2018.

The United States, Canada, Hong Kong and Australia have all made policy moves to drive both personal accountability and the need for consistently better behaviour by senior individuals, compliance officers included.

Personal liability is here to stay so compliance officers must assess for themselves what "good" looks like in terms of their own personal regulatory risk management, which in turn, can be used as the blueprint for everyone else. There are several benefits for compliance officers who think through in detail how best to manage their own personal regulatory risk. They will have a better chance of staying out of trouble. Other benefits include being able to advise fellow senior managers on best practice. Once they have the infrastructure and protocols in place to manage their own risk, they will be able to devote more attention back to overseeing the firm's compliance.

For more information on Thomson Reuters solutions for regulatory compliance, visit risk.thomsonreuters.com