The Knowledge Series: Establishing Effective Compliance Structures
Issue 9 in the Knowledge Series looks at the importance of structuring the Compliance function in a way which is relevant to the business and effective in meeting compliance objectives.
Planning the structure of the Compliance function of any financial institution is not an “off-the-shelf” activity. Each organisation has its own idiosyncrasies, complexities, risks, risk appetites, governance arrangements, business units, products and services, geographical spread etc. Much like a fingerprint, all firms are different, and as such require bespoke control structures. Over the past 10 years, regulators around the world have shown increasing interest in compliance frameworks, including the Compliance function’s organisational structure. The UK’s FCA, and FSA before it, commissioned many Skilled Persons reports on the adequacy of compliance arrangements, which often included an assessment of compliance structure. Regulators are becoming more intrusive, enhancing rules and principles so that the onus of effective compliance and risk management is placed on the senior management of authorised firms. It is important, therefore, for Heads of Compliance to get their control structure right, and pertinent to the nature, scale and complexity of their own business.
There are a number of considerations to bear in mind when structuring your compliance function. As mentioned in the introduction above, each firm is unique, therefore the key drivers may include more or less the areas outlined in Figure 1.
Let us look at some of these considerations, and how they may impact on the optimal compliance structure.
Nature, Scale and Complexity of Firms
The size of the firm, including the number of employees and geographic spread, can be a key driver in the design of the compliance structure. For example, in smaller firms with less than 100 employees and less than five offices, it would possibly be disproportionate to develop a complex compliance structure with multiple reporting lines and segregation of specific compliance roles. Whereas in a large banking corporation with many employees and places of business, it would be appropriate to create a more complex and bespoke compliance structure, taking into account the number of employees, multiple jurisdictions, and product and business line specialists within the structure. In a small firm, the compliance structure would typically be one dimensional with limited segregation of duties, whereas, in larger firms, the structure will have the characteristics of a pyramid.
Larger firms will also have business units and should consider aligning their compliance function to the output and exposure of those business units. Business units typically operate on a standalone basis and have their own P&L to consider. Firms must be cognisant of the impact of this segregation, and evaluate whether one central compliance team will be as effective as a series of sub compliance teams that are aligned with the business structure. By establishing a wholesale compliance team, or a commercial banking compliance team etc., firms can have dedicated, skilled compliance resource working closely with those business units, which fosters a stronger knowledge of the business, and greater alignment between the business, compliance and the governance arrangements, thus giving better management of risk across that vertical.
Where organisations offer a large range of products, be it investment, lending, corporate, or deposit products etc., the regulatory requirements that apply are typically extensive, meaning far-reaching controls are required, as well as a wider range of skill sets across the compliance function. In an organisation with a diversified product offering, it is important that Compliance Officers with appropriate knowledge and experience are deployed. For example, an individual with experience in credit cards is unlikely to fully understand or appreciate the products or transactions typical of wholesale banking. As such, when calculating the number of compliance resources required, and the allocation of those resources, organisations should factor in the need for specialist competencies and skills sets required to deliver effective compliance control.
Some products are more complex than others, and this can also give rise to additional considerations within the compliance structure. Perhaps there need to be layers of review and approval with regards to certain complex products such as Trade Finance solutions. Regulators often place greater requirements over certain product types. For example, structured investment products for the retail sector is an area where there should be close compliance scrutiny, not only at the sales interface but also at the product governance and post-sale stages.
Compliance is an important control function in financial services organisations. In the Basel Committee on Banking Supervision’s (“BCBS”) paper, “Compliance and the compliance function in banks”, there is a set of principles outlined, which underpin the establishment of an effective compliance function. Principle 4 in this paper states, “the bank’s senior management is responsible for establishing a permanent and effective compliance function within the bank as part of the bank’s compliance policy.” The active ingredient in this principle is the word “effective”. The paper goes on to outline some of the characteristics that make up an effective compliance function:
The compliance function should be independent;
- The compliance function should have the resources to carry out its responsibilities effectively;
- The compliance function’s responsibilities should be clear; and
- The compliance function should be subject to review by Internal Audit.
- As a key control function, compliance must feature in an organisation’s risk governance arrangements, with participation in governance fora, monitoring business activities, distribution of important management information and development of specific risk assessments and mitigants.
The compliance function typically belongs in the second line of defence, like other control functions, but significant elements of control will reside in the first line of defence, such as operational controls. When allocating compliance responsibility across the lines of defence, firms should ensure that the compliance function remains independent. For example, where compliance resources are deployed into business units with reporting lines into business line management, there should be scope for compliance to escalate issues outside of this reporting line, and into the central compliance function or an independent committee. Compliance controls should also be allocated in a way that minimises conflicts of interest and maintains independence.
There may also be an overlap of activity with other functions, including Risk and Legal. In this instance, it is important to establish which function is responsible for specific control activities, and how reporting or escalation will work in those instances. Effective risk governance will only be achieved where there are clear allocations of responsibility, clear reporting lines and defined arrangements for escalating issues.
As mentioned earlier, each organisation has their own genetic makeup, and the one-size-fits-all approach to structuring the compliance function isn’t appropriate. It is important that organisations develop their compliance structure to accommodate the nature, scale and complexity of the business.
Let’s take a look at examples of different compliance structures, to illustrate how unique structures can be in relation to their organisation.
In Figure 2, the structure is designed to centralise the compliance function, but clearly, distinguishes between compliance activities and, importantly, retains independence and reduces conflicts of interest. One of the key areas where conflicts of interest can arise in a compliance function is through the provision of compliance advice. Where the size of the organisation permits, a clear segregation between advice and assurance should be maintained. Regulators want to see that true second line activities such as assurance are separated from quasi-first line activities such as advice and guidance.
The BCBS paper outlines the key responsibilities of the compliance function:
- Guidance and education;
- Identification, measurement and assessment of compliance risk;
- Monitoring, testing and reporting;
- Statutory responsibilities and liaison; and
- Coordination of a compliance programme.
These responsibilities can easily be allocated to the broad roles in Figure 2. Advice, guidance and education can be assigned to the Compliance Advisory vertical. Identification, measurement and assessment of compliance risk, and coordination of a compliance programme can be allocated to the Central Compliance vertical. Monitoring, testing and reporting will be the responsibility of the Compliance Assurance vertical and statutory responsibilities and liaison can be assigned to the Regulatory Liaison vertical.
Figure 3 shows an organisational structure that supports business line segregation. This approach is typical in large banks where each business unit is representative of an organisation in its own right. Note that the divisional Heads of Compliance report to their respective Business Heads, but maintain a dotted reporting line to the Group Head of Compliance. This is to ensure that compliance risks are controlled for each business unit, whilst at the same time informing the Group Head of Compliance of delivery against the compliance programme, and any instance of non-compliance. The Group Head of Compliance will also support the Business Head in setting relevant objectives for the divisional compliance team, and in carrying out appraisals of the divisional Head of Compliance. Often, in large organisations, each business unit has its own governance structures and risk management arrangements. As such, it is essential that compliance becomes divisional also, otherwise there could be a break down in risk management.
It is important to note that in the divisional arrangement, compliance resources are able to escalate concerns direct to the Group Head of Compliance, in order to retain the function’s independence. It is also essential that management information from the business unit flows to the Group Head of Compliance, so that adequate group-wide reporting can be provided to the Board and its sub-committees.
Since the financial crisis, compliance functions have undergone change, primarily driven by lessons learned from crystallised compliance risks, but also following on from increased intrusion and intervention by regulators. In addition to this, the compliance job market has grown enormously, with Compliance Officers becoming more fungible than ever before. As senior compliance personnel move from firm to firm, they bring ideas of optimal compliance structures from their previous organisations. Restructuring a compliance function should not be a plug-and-play exercise, and should be based on a clear assessment of an organisation’s business structure and footprint along with due consideration of the compliance risk universe.
Smaller firms with one-dimensional compliance structures are subject to potential conflicts of interest due to the size constraints preventing adequate segregation of duties within the compliance team. These compliance teams often multi-task, covering aspects of advice, operational control, as well as assurance. In this case, Boards should aim to reduce the potential conflicts and attain independent assurance from an external expert, who can carry out periodic compliance monitoring and testing, providing the board with a clear independent view on the state of compliance.
Change in compliance structure should not be embarked upon without a clear rationale and plan to deliver the change. Firms should define a target operating model of where they want the compliance function to be and set out the steps to achieve that target state. A change in compliance structure should not be done in isolation from the business. Heads of Compliance should get the approval and buy-in from senior management before embarking on any structural change, to ensure alignment with the business in general, and a compliance function that will operate with the existing risk governance framework.
- Help identify the compliance risks in your business
- Advise senior management on how to control these risks
Target Operating Model
- Provide target operating model to record current and target states
- Develop action plan to deliver timely achievement of target state
- Develop effective governance structures, appropriate reporting lines, clear job descriptions, and terms of reference
- Review compliance function for appropriateness and effectiveness
- Make recommendations for improvement and help implement changes
- Undertake independent assurance reviews
- Reporting periodically to the Board and its sub-committees