Achieving a culture of compliance

Financial services firms must have corporate governance frameworks that not only promote the sound and prudent management of their business but also protect the interests of their customers and stakeholders. Significant management responsibilities must be apportioned in a way that is appropriate to the business and affairs of the firm and the relevant individual’s abilities. Clarity of responsibility is key to effective control.

The board must therefore ensure that senior managers and employees at all levels of the firm are clear about the nature and scope of their duties, the limits of their authority, the guidelines they must adhere to and their lines of reporting and supervision. They must also know that they are accountable for their acts and omissions and that the firm’s systems and controls provide a sufficient audit trail to support this.

The board is also responsible for setting the organisation’s business goals and strategy and for defining the level of risk the organisation is prepared to accept in achieving these. The board must ensure its proposals are not only right for the organisation as a whole but that they will also result in legal and ethical outcomes for customers and other stakeholders. Non-executive directors have an important role to play in this process and the board should also obtain expert input on its proposals from the risk and compliance functions to ensure that all significant risks have been identified and can be properly managed.

In communicating the business plan and strategy to the firm, the board must make employees at all levels aware of what is expected of them in pursuit of those objectives, not only in terms of financial and operational performance but also in terms of conduct that is acceptable and that which is not. Importantly, this “tone from the top” must make employees aware that they will not be rewarded for misconduct, even in circumstances where it is profitable for the firm.

Business unit managers must establish an effective control environment in which to implement the firm’s business strategy and pursue its goals within the guidelines established by the board. They are the first line of defence in keeping “on track” the part of the business for which they are responsible. As such, they must not only lead by example in promoting the conduct guidelines adopted by the board but, crucially, they must act with due care and diligence in ensuring that their unit is organised so that it can be properly managed and operates in a compliant manner.

The board must ensure that business unit managers are fully aware of the nature and scope of their responsibilities, are not compromised by unresolved conflicts, especially in relation to remuneration, and are fully supported by the resources they need, particularly in relation to risk and compliance. It is important that business unit managers are made aware that they will be held to account if they fail to take reasonable steps to prevent non-compliance in their area of responsibility.

A firm’s recruitment procedures must be designed to ensure they employ persons who are suitable for the positions they have applied for. This is important not only in the case of applicants for positions of trust but also for persons who will have significant management responsibilities or risk-taking authority. In all cases, the initial vetting procedures should include checks for criminal behaviour and regulatory malpractice, as well as the authenticity of qualifications, references and curriculum vitae. In some institutions, these procedures are supplemented by psychometric testing that may help to identify any propensity for reckless behaviour or wilful misconduct.

The organisation should have in place a formal training and competence plan that maps out the individual’s training needs from the outset. The employee should be monitored for progress and supervised until he/she has been assessed as able to work independently. Training should address compliant behaviour and ethical conduct and should at least clarify the headline issues and the policies and procedures that support them. Employees should know that any case of doubt should be escalated to management or to the compliance department for guidance on if and how to proceed.

The way that employees are rewarded, in particular, revenue-generating employees, influences not only their performance but also their behaviour. As a general principle, financial services firms should operate remuneration structures and strategies that are aligned with the long-term interests of the firm, preserve the independence of the control functions and should not incentivise misconduct or excessive risk-taking.

When formulating remuneration strategies, particularly incentivisation schemes, organisations must understand not only what motivates their employees to deliver the desired level of performance but also what might incentivise them to behave inappropriately. When structuring remuneration strategies and incentive schemes, firms must identify any features that might result in misconduct and either remove them or ensure that they are carefully monitored to ensure that misconduct does not occur.

The threat of serious disciplinary action by the organisation against an employee can be a powerful deterrent to misconduct. A compliant organisation is one in which disciplinary action for non-compliant or unethical behaviour is understood by employees at all levels as a real and serious threat, both to their compensation and to their future employment within the organisation. Employees should also be made aware that regulators may also be able to take such action against them.

The business unit managers are the first of three lines of defence; the compliance function the second, and internal audit function the third. The compliance function, together with finance, risk and legal, will advise business unit managers and the board on the risks to be addressed and the systems and controls necessary for managing them. Crucially, the compliance function will monitor their proper execution and report to business unit managers and the board on their existence and effectiveness.

A compliant organisation should have a well-resourced compliance function that has ready access to senior management, the information and records it needs to examine the business, and the authority and independence to undertake its work objectively. Both the first and second lines of defence should be subject to review by the internal audit function to ensure that they are meeting their control obligations.

In addition to compliance with specific rules and regulations, a firm’s systems and controls must also identify and cover the risks arising from conflicts of interest, particularly those associated with remuneration policies, product design and sales and market practices, which may result in undesirable outcomes for customers and other stakeholders.

A compliant organisation should maintain an inventory of its key compliance risks and all significant conflicts of interest, together with details of how they will be managed and controlled. The necessary policies, procedures, systems and controls will must be fully documented, approved by the board and implemented by senior management, together with appropriate training.

The internal audit and compliance functions will operate risk-based review programmes, the results of which they will share with each other and report to the board and management to provide them with key management information.

Firms that are committed to ethical outcomes will also ensure their reviews cover customer satisfaction indicators, such as the number and nature of customer complaints, repeat business and customer retention metrics. Firms will look into these closely to understand the results and assess what changes to systems and controls, employee training, and so on may be necessary.

A firm with a good compliance culture will also operate a whistleblowing procedure within which employees can raise issues of concern in a structured and protected manner, without fear of reprisal.

Ultimately, a culture of compliance is one that places good outcomes for customers and market users at the heart of the business. In doing so, a firm should be better able to meet its obligations to customers, regulators and other stakeholders and therefore reduce exposure to the risk of regulatory enforcement, civil claims, criminal prosecution, and reputational damage.