Structuring the compliance function
Each organisation has unique characteristics, including its risk profile, governance structure, geographical spread and business operations. To achieve optimal compliance, it is essential to design a tailored framework that aligns with these specific needs.
Heightened regulatory scrutiny on compliance frameworks
In recent years, regulatory scrutiny of compliance frameworks has intensified. Authorities such as the UK’s Financial Conduct Authority have emphasised the importance of effective compliance structures and have commissioned many Skilled Persons reports on the adequacy of compliance arrangements, which often included an assessment of compliance structure. This increased oversight underscores the need for financial institutions to prioritise compliance and to ensure that their compliance functions are adequately resourced and structured.
The responsibility of effective compliance and risk management rests with the senior management of authorised firms. It is important, therefore, for Heads of Compliance to get their control structure right, and relevant to the nature, scale and complexity of their own business.
Considerations for determining an optimal structure
There are several considerations when structuring your compliance function. Each firm is unique, therefore, the key drivers may include certain areas as outlined below in Figure 1.
Figure 1 – Factors to Consider When Structuring Your Compliance Function
We have examined these considerations in more detail below, including how they may impact the optimal compliance structure.
Size, business unit needs, and complexity of firms
The size of a firm, including the number of employees and geographic spread, can be a key driver in the design of the compliance structure. For example, in smaller firms with less than 100 employees and less than five offices, it could be disproportionate to develop a complex compliance structure with multiple reporting lines and segregation of specific compliance roles. In contrast, a large banking corporation with many employees and places of business, it would be appropriate to create a more complex and bespoke compliance structure, taking into account the number of employees, multiple jurisdictions, and product and business line specialists within the structure. In a small firm, the compliance structure would typically be one dimensional with limited segregation of duties, whereas, in larger firms, the structure will have the characteristics of a pyramid.
Larger firms will also have business units and should consider aligning their compliance function to the output and exposure of those business units. Business units typically operate on a standalone basis and have their own P&L to consider. Firms must be cognisant of the impact of this segregation and evaluate whether one central compliance team will be as effective as a series of sub compliance teams that are aligned with the business structure. By establishing a wholesale compliance team, or a commercial banking compliance team etc., firms can have a dedicated, skilled compliance resource working closely with those business units, fostering a stronger knowledge of the business, and greater alignment between the business, compliance and the governance arrangements, thus giving better management of risk across that vertical.
Product suite
Where organisations offer a large range of products, such as investment, lending, corporate, or deposit products, the regulatory requirements that apply are typically extensive, meaning far-reaching controls are required, as well as a wider range of skill sets across the compliance function. In an organisation with a diversified product offering, it is important that Compliance Officers with appropriate knowledge and experience are deployed. For example, an individual with experience in credit cards is unlikely to fully understand or appreciate the products or transactions typical of wholesale banking. As such, when calculating the number of compliance resources required, and the allocation of those resources, organisations should factor in the need for specialist competencies and skills sets required to deliver effective compliance control.
Some products are more complex than others, and this can also give rise to additional considerations within the compliance structure. Layers of review and approval may be required with regards to certain complex products such as trade finance solutions. Regulators often place greater requirements over certain product types. For example, structured investment products for the retail sector is an area where there is likely to be close compliance scrutiny, not only at the sales interface but also at the product governance and post-sale stages.
Control structure
Compliance is an important control function in financial services organisations. The Basel Committee on Banking Supervision’s (“BCBS”) paper, “Compliance and the compliance function in banks”, contains a set of principles, which underpin the establishment of an effective compliance function. Principle 4 in this paper states, “the bank’s senior management is responsible for establishing a permanent and effective compliance function within the bank as part of the bank’s compliance policy.” The active ingredient in this principle is the word “effective”. The paper goes on to outline some of the characteristics that make up an effective compliance function:
- the compliance function should be independent
- the compliance function should have the resources to carry out its responsibilities effectively
- the compliance function’s responsibilities should be clear
- the compliance function should be subject to review by internal audit.
As a key control function, compliance must feature in an organisation’s risk governance arrangements, with participation in governance fora, monitoring business activities, distribution of important management information and development of specific risk assessments and mitigants.
The compliance function typically belongs in the second line of defence, similar to other control functions, however, significant elements of control will reside in the first line of defence, such as operational controls. When allocating compliance responsibility across the lines of defence, firms should ensure that the compliance function remains independent. For example, where compliance resources are deployed into business units with reporting lines into business line management, there should be scope for compliance to escalate issues outside of this reporting line, and into the central compliance function or an independent committee. Compliance controls should also be allocated in a way that minimises conflicts of interest and maintains independence.
There may also be an overlap of activity with other functions, including risk and legal. In this instance, it is important to establish which function is responsible for specific control activities, and how reporting or escalation will work in those instances. Effective risk governance will only be achieved where there are clear allocations of responsibility, clear reporting lines and defined arrangements for escalating issues.
What structure is right for your organisation?
Each organisation has its own genetic makeup, and the one-size-fits-all approach to structuring the compliance function is not appropriate. It is important that organisations develop a compliance structure to accommodate the nature, scale and complexity of the business.
We have set out below a number of examples of differing compliance structures, to illustrate how unique structures can be in relation to an organisation.
Figure 2 – Centralised Compliance Function
In Figure 2, the structure is designed to centralise the compliance function, but clearly distinguishes between compliance activities and, significantly, retains independence and reduces conflicts of interest. One of the key areas where conflicts of interest can arise in a compliance function is through the provision of compliance advice. Where the size of the organisation permits, a clear segregation between advice and assurance should be maintained. Regulators want to see that true second line activities such as assurance are separated from quasi-first line activities such as advice and guidance.
Responsibilities of the compliance function
The BCBS paper outlines the key responsibilities of the compliance function:
- advice
- guidance and education
- identification, measurement and assessment of compliance risk
- monitoring, testing and reporting
- statutory responsibilities and liaison
- coordination of a compliance programme.
These responsibilities can easily be allocated to the broad roles in Figure 2. Advice, guidance and education can be assigned to the compliance advisory vertical. Identification, measurement and assessment of compliance risk, and coordination of a compliance programme can be allocated to the central compliance vertical. Monitoring, testing and reporting will be the responsibility of the compliance assurance vertical and statutory responsibilities and liaison can be assigned to the regulatory liaison vertical.
Figure 3 – Business Line Compliance Function
Figure 3 shows an organisational structure that supports business line segregation. This approach is typical in large banks where each business unit is representative of an organisation in its own right. Note that the divisional Heads of Compliance report to their respective business heads but maintain a dotted reporting line to the Group Head of Compliance. This is to ensure that compliance risks are controlled for each business unit, whilst at the same time informing the Group Head of Compliance of delivery against the compliance programme, and any instance of non-compliance. The Group Head of Compliance will also support the Business Head in setting relevant objectives for the divisional compliance team, and in carrying out appraisals of the divisional Head of Compliance. Often, in large organisations, each business unit has its own governance structures and risk management arrangements. As such, it is essential that compliance becomes divisional, otherwise there could be a break down in risk management.
It is important to note that in the divisional arrangement, compliance resources are able to escalate concerns directly to the Group Head of Compliance, in order to retain the function’s independence. It is also essential that management information from the business unit flows to the Group Head of Compliance, so that adequate group-wide reporting can be provided to the Board and its sub-committees.
Evolution of compliance functions
Since the financial crisis, compliance functions have undergone change, primarily driven by lessons learned from increasing compliance risks, but also following on from increased intrusion and intervention by regulators. In addition to this, the compliance job market has grown enormously, with Compliance Officers becoming more fungible than ever before. As senior compliance personnel move from firm to firm, they bring ideas of optimal compliance structures from their previous organisations. Restructuring a compliance function should not be a plug-and-play exercise and should be based on a clear assessment of an organisation’s business structure and footprint along with due consideration of the compliance risk universe.
Mitigating conflicts of interest in smaller firms
Smaller firms with one-dimensional compliance structures are subject to potential conflicts of interest due to the size constraints preventing adequate segregation of duties within the compliance team. These compliance teams often multi-task, covering aspects of advice, operational control, as well as assurance. In this case, Boards should aim to reduce the potential conflicts and attain independent assurance from an external expert, who can carry out periodic compliance monitoring and testing, providing the board with a clear independent view on the state of compliance.
Considerations before changing compliance structures
Change in compliance structure should not be embarked upon without a clear rationale and plan to deliver the change. Firms should define a target operating model of where they want the compliance function to be and set out the steps to achieve that target state. A change in compliance structure should not be done in isolation from the business. Heads of Compliance should seek approval and buy-in from senior management before embarking on any structural change. This will ensure alignment with the business in general, allowing the compliance function to operate within the existing risk governance framework.
How can Waystone help?
Our experienced team of UAE compliance advisors can provide firms with effective solutions to manage regulatory risk across a range of areas, including:
Identifying risks
- help identify the compliance risks in your business
- advise senior management on how to control these risks
Target operating model
- provide a target operating model to record current and target states
- develop an action plan to deliver timely achievement of target state
Governance structure
- develop effective governance structures, appropriate reporting lines, clear job descriptions, and terms of reference
Effectiveness reviews
- review the compliance function for appropriateness and effectiveness
- make recommendations for improvement and help implement changes
Independent assurance
- undertake independent assurance reviews
- report periodically to the Board and its sub-committees.
If you would like to find out more about our compliance advisory solutions, please reach out to our Middle East compliance solutions team today.