The Middle East Knowledge Series: Achieving a Culture of Compliance
“The DFSA will need to see an adjustment in the tone from the top to foster a culture which has compliance and risk management fully embedded in it”
The above is an extract from a recent DFSA risk mitigation programme, and is a topic that we frequently see raised by the DFSA in discussion during risk assessment visits, which begs the question: how do you demonstrate to the DFSA that your organisation has the appropriate compliance culture?
The behaviour of employees in the financial services industry directly affects their firms’ treatment of customers and conduct in financial markets. Globally, numerous, well- publicised, cases of misconduct show that major financial institutions continue to be involved in product mis-selling, market-rigging, facilitating tax evasion, sanctions violations and money laundering (often on a massive scale) and have prompted regulators to look again at ways of preventing misconduct by instilling a “culture of compliance” in financial services firms.
Simply put, an organisation that adopts a culture of compliance is one which places legal, regulatory and ethical outcomes at the heart of its considerations and incorporates that goal in its governance arrangements, strategic planning and decision-making processes. A culture of compliance requires at least the following essential components:
- Effective corporate governance and communication of the “tone from the top”
- Rigorous recruitment, training and supervision processes
- Appropriate remuneration strategies and effective disciplinary policies
- Management accountability for effective supervision
- Effective controls and control functions
- Whistleblowing, monitoring and feedback systems
Financial services firms must have corporate governance frameworks that not only promote the sound and prudent management of their business but also protect the interests of their customers and stakeholders. To this end, significant management responsibilities must be apportioned in a way that is appropriate to the business and affairs of the firm and to the relevant individuals’ abilities. Clarity of responsibility is key to effective control. The Board must therefore ensure, through the use of organisation charts and detailed job descriptions, that senior managers and indeed, employees at all levels of the firm, are clear about the nature and scope of their duties, the limits of their authority, the guidelines they must adhere to and their lines of reporting and supervision. They must also know that they are accountable for their acts and omissions and that the firm’s systems and controls provide sufficient audit trail to support this.
The Board is also responsible for setting the organisation’s business goals and strategy and for defining the level of risk the organisation is prepared to accept in achieving them. The Board must ensure its proposals are not only right for the organisation as a whole but that they will also result in outcomes for customers and other stakeholders that are legal and ethical. Non-executive directors have an important role to play in this process and the Board should also obtain expert input on its proposals from the Risk and Compliance functions to ensure that all significant risks have been identified and can be properly managed.
In communicating the business plan and strategy to the firm, the Board must make employees at all levels aware of what is expected of them in pursuit of those objectives, not only in terms of financial and operational performance but also in terms of conduct that is acceptable and that which is not. Importantly, this “tone from the top” must make employees aware that they will not be rewarded for misconduct, even in circumstances where it is profitable for the firm.
Clearly, a firm’s recruitment procedures must be designed to admit only persons who are suitable for the positions they have applied for. This is important not only in the case of applicants for positions of trust but also for persons who will have significant management responsibilities or risk-taking authority. In all cases, the initial vetting procedures should include checks for criminal behaviour and regulatory malpractice, as well as the authenticity of qualifications and curriculum vitae. References should also be obtained. In some institutions, these basic procedures are supplemented by psychometric testing that may help to identify any propensity for reckless behaviour or wilful misconduct.
The organisation should have in place a formal training and competence plan which maps out the individual’s training needs from the outset. The employee should be monitored for progress and supervised by a responsible senior until he has been assessed as able to work independently. Training should address compliant behaviour and ethical conduct and should at least clarify the headline issues and the policies and procedures that support them. Crucially, employees should know that any case of doubt should be escalated to management or to Compliance for guidance on if and how to proceed.
The way employees – especially revenue-generating employees – are rewarded, influences not only their performance but also their behaviour. As a general principle, financial services firms should operate remuneration structures and strategies that are aligned with the long term interests of the firm, preserve the independence of the control functions and do not incentivise misconduct or excessive risk-taking.
In formulating remuneration strategies, especially incentivisation schemes, organisations must understand not only what motivates their employees to deliver the desired level of performance but also what might incentivise them to behave inappropriately. Amongst others In this latter category are greed – e.g. the desire for enrichment such as from a promotion or bonus for achieving a target; fear – e.g. the threat of dismissal or missing out on a financial benefit for failing to achieve a particular target; and ego – the desire to be lauded as the best, as in the “star trader” syndrome. All of the above can motivate employees to cut corners in procedures and engage in, or turn a blind eye to, unethical behaviour. Therefore, when structuring remuneration strategies and incentive schemes, firms must identify any features that might result in misconduct and either remove them or ensure that they are carefully monitored to ensure that misconduct does not occur.
The threat of serious disciplinary action by the organisation against an employee can be a powerful deterrent to misconduct. A compliant organisation is one in which disciplinary action for non-compliant or unethical behaviour is understood by employees at all levels as a real and serious threat both to their compensation and future employment with the organisation. Employees should also be made aware that regulators may also be able to take such action against them.
Business unit managers must establish an effective control environment in which to implement the firm’s business strategy and pursue its goals within the guidelines established by the Board. They are the first line of defence in keeping “on track” the part of the business for which they are responsible. As such they must not only lead by example in promoting the conduct guidelines espoused by the Board but, crucially, they must act with due care and diligence in ensuring that their unit is organised so that it can be properly managed and that it operates in a compliant manner.
The Board must ensure that business unit managers are fully aware of the nature and scope of their responsibilities, are not compromised by unresolved conflicts, especially in relation to remuneration, and are fully supported by the resources they need, particularly in relation to Risk and Compliance. Crucially, however, business unit managers must be made aware that they will be held to account if they fail to take reasonable steps to prevent non-compliance in their area of responsibility.
The business unit managers are the first of three lines of defence, the Compliance function and Internal Audit function being the second and third, respectively.
The Compliance function, together with Finance, Risk and Legal, will advise business unit managers and the Board on the risks to be addressed and the systems and controls necessary for managing them. Crucially, the Compliance function will monitor their proper execution and report to business unit managers and the Board on their existence and effectiveness. A compliant organisation will have a well-resourced Compliance function that has ready access to senior management, the information and records it needs to examine the business, and the authority and independence to undertake its work objectively. Both the first and second lines of defence should be subject to review by the Internal Audit function to ensure that they are meeting their control obligations.
In addition to compliance with specific rules and regulations, a firm’s systems and controls must also identify and cover the risks arising from conflicts of interest, especially those associated with remuneration policies, product design and sales and market practices, which may result in undesirable outcomes for customers and other stakeholders. A compliant organisation will maintain an inventory of its key compliance risks and of all significant conflicts of interest together with details of the means by which they will be managed and controlled. The necessary policies, procedures, systems and controls will have been fully documented, approved by the Board and implemented by senior management together with appropriate training.
The Internal Audit and Compliance functions will operate risk-based review programmes, the results of which they will share with each other and report to the Board and management to provide them with key management information. Firms that are committed to ethical outcomes will also ensure their reviews cover customer satisfaction indicators, such as the number and nature of customer complaints, repeat business and customer retention metrics. Firms will look into these closely in order to understand their causes and assess what changes to systems and controls, employee training, and so on may be necessary. A firm with a good compliance culture will also operate a whistleblowing procedure under which employees can raise issues of concern in a structured and protected manner without fear of reprisal.
Notwithstanding the work that has already been undertaken in the wake of the financial crisis, regulators continue to regard misconduct in financial services firms with great concern. Current initiatives focus on sound compensation structures and greater personal liability for senior managers. Regulators are also seeking ways to enhance conduct in fixed income, swaps and derivatives, commodities and currency markets which, hitherto, have been regulated comparatively lightly but which have significant market impact.
Ultimately, a culture of compliance is one that places good outcomes for customers and market users at the heart of the business. In doing so, a firm should be better able to meet its obligations to customers, regulators and other stakeholders and therefore reduce exposure to the risk of regulatory enforcement, civil claims, criminal prosecution, and reputational damage. This article has set out some thoughts on how firms can achieve this goal and these will undoubtedly be reinforced by future regulatory initiatives.