The compliance officer role in heavily regulated industries, such as energy, healthcare and financial services, is one of evolving and expanding responsibility these days.
The compliance officer is charged with spotting risk and pursuing the policies and procedures that bring such exposures to levels deemed acceptable as contemplated by agency regulations and local and federal laws.
Risk managers, historically seen as technical staff skilled at quantitative calculations and capable of understanding technology, are required now to be good communicators capable of communicating risks within banks, broker-dealers, investment advisory firms and other organizations.
The emphasis on risk profiles – particularly when it comes to cyber security best practices – has thrown a spotlight on the compliance officer’s role beyond rule establishment and regulatory reporting. Compliance officers have to understand the business – the challenges the firm faces today and those it could in the near future – and they must not only seek to avoid risk, but make the whole firm aware of its risks.
It’s a tall order. Their success can depend on the authority they are given over their main areas of responsibility, the independence they are given in firms, and their access to the top executives and board of directors.
In institutions in which the risk management culture is not strong, there is likely a compliance officer being treated as more of a back-office employee – or ignored.
For some healthcare giants, the federal government had to weigh in and mandate the separation of the general counsel and the chief compliance officer (CCO), but it was the doing of four of the biggest players in the financial services field that separated and promoted their CCOs after years of keeping them under the direct authority of the general counsel: JP Morgan Chase, Goldman Sachs, and Barclays.
UK banking giant HSBC appointed former Treasury Department official Bob Werner to a new, executive-level role following a $1.92 billion settlement of money-laundering charges with the U.S. Department of Justice.
Undergirding these moves by large banks and other firms in the United States is the Compliance Program Rule (SEC Rule 206(4)-7) and the U.S. Federal Sentencing Guidelines, the latter of which was amended to reward companies implementing effective compliance programs by protecting them from criminal liability in the first place, or at least entitling them to a reduction in sentence if they were found criminally liable.
The rule and guidelines set forth critical elements that an effective compliance program should have for a company such as a significant ethics component and occupying a senior management role in operating and overseeing the compliance program.
The chief compliance officer
The role of the CCO can vary between firms, but according to the Securities and Exchange Commission (SEC), the CCO must be (1) competent and knowledgeable regarding the Adviser’s Act; (2) empowered with full responsibility and authority to develop and enforce the firm’s policies, and (3) have sufficient seniority within the firm such that he or she can effectively compel others in the firm to adhere to the program’s requirements.
Some of the tasks associated with the compliance officer’s duties can be outsources, but ultimate oversight of the program and the documentation and reporting of the program’s features and tested effectiveness (to top executives and the board) should lie with an internal employee.
Implementing a compliance program
No specific requirements are included in the rule regarding how to structure a compliance program, but ample guidance from regulators in their enforcement decisions, investor alerts and speeches give companies a heads up as to what will be examined in an inspection.
These components include which records must be retained and for how long, which disclosures must be made to clients or prospective clients; how conflicts-of-interest (or potential ones) are identified, managed and disclosed; the controls used to guard against non-public inside information; and the protection of non-public customer data.
They also include maintaining an effective anti-money laundering program that is tested at least annually and risk monitoring that takes into account risks in the market; risks encountered in the firm’s business partnerships; funding and asset liquidity risks to permit ongoing trading and operational risks such as systems failures; trade errors and frauds committed by employees.
To ensure the uninterrupted delivery services and the protection of client data, the firm should have updated and well-tested plans for business continuity and cyber security that provide for alternate locations of stored information and controls around who can access such data. The firm must be prepared to show how it safeguards client assets from conversion or misuse.
Conducting risk assessments and the annual review
The annual review and risk assessment are continuing processes, based on policies and procedures that help firms identify and mitigate compliance risk. They offer the firm the chance to ask if it is detecting problematic conduct with its policies, and if there is a better way to prevent risks based on certain products or problematic conduct by an individual or others.
A mock regulatory inspection directed by the compliance and audit teams can help uncover weaknesses and document the corrective actions taken. Products, services, customers and business partners that present a higher risk to the company should be identified, as should the specific steps taken to subject them to special oversight and mitigate those risks.
Developing a compliance calendar can help allocate the resources of time, money and personnel that are needed for the next internal review and specify those areas in need of improvement.
Access to top executives and the board
In its formal examinations of firms, the SEC has moved to routinely include interviews with top firm executives in an attempt to get a sense of compliance culture as a whole.
According to Kevin Goodman, national associate director of the SEC’s Office of Compliance Inspections and Examinations (OCIE)’s broker-dealer exam program, the endeavor is meant to bring the compliance role to the forefront of an organization. Goodman said that the practice will force the executive management team to be more involved in the compliance program and, in many cases, encourage them to work with the compliance team on firm processes previously only known to the compliance department.
SEC examiners will take into account how well the compliance program is constructed; the degree of seriousness the program is afforded and how active top executives are in the process of their firm’s compliance and risk management.
According to Accenture’s 2015 Compliance Risk Study – based on a survey of leading compliance officers at 150 banking, insurance, and capital markets firms in the North and South America, Europe, and Asia-Pacific – investment in the compliance function will continue to increase by at least 10 percent over the next two years. Respondents also resoundingly indicated that working with their colleagues to deliver compliance processes was the key to the long-term sustainability of the compliance function.
As the costs of non-compliance rise, both in dollar terms and reputation costs, investing in compliance is the best means for firms to ensure their own sustainability and wherewithal to thrive into the medium and longer terms.
Discover insights by professionals, for professionals in the Know 360 app