THE COMPLIANCE EFFECT: MITIGATING THE LIABILITY OF … accelus...Enforcement activity: Prohibitions of individuals, FSA (2009-2013), FCA (2013-2014) Source: FCA Annual Report 2013/14

THE COMPLIANCE EFFECT: MITIGATING THE LIABILITY OF SENIOR MANAGERS by Jennifer A. Francis

The views and opinions expressed in this paper are those of the author and do not necessarily reflect the official policy or position of Thomson Reuters.

2 THE COMPLIANCE EFFECT: MITIGATING THE LIABILITY OF SENIOR MANAGERS MARCH 2015

CONTENTSTHE CURRENT STATE OF PLAY AND THE ROAD AHEAD . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

MANAGING REGULATORY RISK EFFECTIVELY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

SOUNDING THE CULTURE THEME: CONDUCT RISK AND SENIOR MANAGERS LEADING BY EXAMPLE . . . . . . . . . . . . . . . . . . . 5

AVOIDING THE GO TO JAIL CARD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

OTHER TOOLS AVAILABLE TO REGULATORS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

THE TECHNOLOGY REVOLUTION: A COMPLIANCE SOLUTION . . . . . . . . . . . . . . . . . . . . . . 10

THE ROLE OF COMPLIANCE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

IF SOMETHING WAS NOT RECORDED, IT DID NOT HAPPEN . . . . . . . . . . . . . . . . . . . . . . . . . 11

BRAVING THE NEW WORLD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11


THE CURRENT STATE OF PLAY AND THE ROAD AHEAD Changes to regulatory frameworks have created a stream of new demands which will affect firms in the financial sector. Firms today must focus on the adequacy of the structures they have in place to manage the complexity and cross-border challenges of an evolving regulatory landscape.

Indeed, following the financial crisis, even the number of regulators has increased. The UK’s answer was to divide the previous supervisor, the Financial Services Authority, into two bodies: the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA). These supervisory bodies were created to address a perceived lack of focus on prudential issues, with more recent activity centered on the implementation of a new Senior Managers Regime for banks. This will make senior managers, non-executive directors and boards of directors personally liable for internal compliance failures that fall under their remit.

So far there have been no changes to senior management frameworks in the Asia-Pacific region but firms are being advised to consider developments in the UK. Taking the lead are Australia, Hong Kong and Singapore, where directors are being held accountable in circumstances where there is direct and incriminating evidence relating to misconduct.

This year regulators will begin to scrutinize the supervisory practices that are in place to monitor firms’ culture. How the regulators will review the culture of one firm against another is still unclear, but inspections may target corporate governance and reporting lines and aim to pinpoint individual accountability in firms with complex management structures.

MANAGING REGULATORY RISK EFFECTIVELY2015 will bring change for senior managers. A new wave of “regulatory policing” has arrived, where regulators look at ways to ensure managers are on top of risk issues and can be held individually accountable in the event of compliance failures. Senior managers must assess their internal and external business environments and then manage the relevant regulatory and conduct risks.

The following internal and external checklists set out the kinds of issues which need to be considered:

Internal environment – Checklist1

Culture and conduct risk Firms must reach consensus on the culture, risk appetite and tone delivered by senior managers and the board. The "tone at the top" must be appropriate and support the culture and ethical standards of the organization. Although definitions of what "good" compliance looks like vary, there needs to be a joint approach to how the business will deliver the message of culture to the remainder of the firm. This allows senior managers to rest assured that the right business practices are undertaken and that actions taken by employees at all levels are compliant and in the best interests of clients and the firm.

Key areas of supervision It is vital that every employee understands the firm’s values and the importance of remaining compliant. Creating an ethos where this is common practice will have far-reaching benefits both for the organization and for individuals. Senior managers can best approach the rate of change, regulators’ enhanced expectations and their need to acknowledge and manage their own regulatory risk by taking seven actions:

• Know your responsibilities.• Understand the business.


• Familiarize yourself with your team.• Provide evidence of the discharge of personal regulatory obligations and

accountabilities.• Engage with support and control functions. • Ensure that the right controls have been implemented.• Guide the team by way of example; deliver a strong “tone at the top”.

Clearly defined roles, responsibilities and accountabilities

Transparent and thoroughly defined roles are essential. Accountability across a firm should be seamless from top to bottom, with no gaps in responsibility. This helps senior managers to understand exactly what falls under their remit and avoids confusion about responsibilities and lines of accountability. Consideration also needs to be given to handovers, decision registers and exit protocols.

Personal archives The need to provide evidence of compliance is a priority for senior managers. A personal archive demonstrates the discharge of personal regulatory obligations and accountabilities, as individuals can clearly demonstrate what steps were taken to remain fully compliant.

Regulatory approvals and registrations

Regulatory approvals and registrations require constant maintenance and adequate resourcing. A central repository of all employees at the firm is crucial. Firms often check their list of registered persons against the regulator’s records. It is vital that firms establish clear lines of communication with regulators.

Data management Firms should refine their data management processes, as regulators are standardizing requirements. They should also consider undertaking detailed data reviews and additional reporting. The ability to manage data and identify relevant information helps to translate the data into an overview of which regulations may affect the organization.

It is also important for senior managers to use technology that benefits the firm by, for example, enabling active monitoring and screening to highlight potential items that warrant review. Such tools enhance awareness of firms’ day-to-day activities and help management to stay on top of regulatory obligations in each territory where they do business.

External environment – Checklist2

Keeping up-to-date with regulatory and enforcement developments

All regulatory information, such as supranational or cross-border regulatory changes, coverage of compliance breaches, enforcement actions and proposed future regulations, should be considered to ensure that senior managers fully understand the current and future regulatory landscape.

Communication with regulators Senior managers must have a thorough knowledge of relevant regulatory changes, so that they can engage with supervisory authorities to gain a better understanding of how the changes will affect the firm.

Reporting changes Changes in reporting and the inclusion of a standing update in key meetings may be required to help senior managers stay abreast of regulatory changes.

Lobbying Lobbyists can help ensure that firms’ stance on regulatory changes is considered, perhaps influencing new regulation to their advantage. Understanding the political environment of regulation, and remaining in touch with government affairs, provides invaluable insight.

Communication Rigorous policies should enforce acceptable behavior across all channels and types of communication, both internal and external. In particular, multi-firm chats should be prevented.


Is my planned course of action both legal and aligned with the firm’s

code of business conduct and ethics?

In cases that may jeopardize the firm, who should I consult

in my organization: human resources, the legal and

compliance department, or my manager?

Am I sufficiently well-informed to reach the ideal

outcome?

What would my response be to a negative reception

of my conduct by news media?

How will the perception of my firm by external

parties be influenced by my decision?

Have I considered any viable alternatives

before making my decision?

Stay prepared and mitigate personal liabilityConsider the following when reaching for compliant, responsible and ethical decisions:

SOUNDING THE CULTURE THEME: CONDUCT RISK AND SENIOR MANAGERS LEADING BY EXAMPLE What is conduct risk?“Conduct risk refers to the growing need for institutions to reassess the way they conduct their businesses and how regulatory risks and expectations are effectively managed within organizations.” Niall Coburn, regulatory intelligence expert for the Asia-Pacific region, Thomson Reuters Accelus

Firms are considering how best to implement a culture of compliance and influence correct behavior. This culture shift has led to a more controlled environment, in which boards now monitor culture as part of the supervisory review process.


Define what ‘good’ looks like

Ensure ongoing monitoring, follow-up on changes in

regulations, and check that fixes accomplish their aims

Perform an analysis to identify any gaps in how your

organization manages regulatory risk

Fix any issues foundProduce robust reporting of qualitative issues

Continuously evidence that the firm has operated in

compliance with regulations

The lifecycle of conduct risk

Who owns conduct risk? The onus is on the board to set the tone and improve culture, aligning the business with customer interests. The recent Conduct Risk Report 2014/15 published by Thomson Reuters Accelus found that 67 percent of compliance professionals surveyed believed that regulatory focus on conduct risk would increase the personal liability of senior managers. When it came to who was responsible for implementing the organization’s conduct risk policy, only 19 percent assumed it was the board, whereas 36 percent believed that it was the responsibility of the compliance function. Of those surveyed, fewer than half said there was a senior manager who was responsible for conduct risk.

AVOIDING THE GO TO JAIL CARD If the chances dished out by Rich Uncle Pennybags in Monopoly were a reality, then “get out of jail free” cards would no doubt be a priceless commodity. In the current environment, a poorly executed approach to ethics and customer responsibility, whether in the form of market abuse, unethical sales tactics or misleading the regulators, has resulted in record penalties on both sides of the Atlantic and in some cases individuals have been imprisoned.

The UK is embracing a liability framework to ensure that senior managers shoulder the responsibility for unlawful employee activity. The consequences are severe and could include loss of license, reputational damage and hefty fines, for which the individual, not the company, will be liable. In the United States, the burden of proof remains with the prosecution, which must prove that senior managers acted out of willful intent. Whistleblowers are an added and invaluable resource in the government’s pursuit of corporate misconduct in the financial services industry.

Source: Thomson Reuters Conduct Risk Report 2014/15


Senior managers who are found to have been associated with misconduct are increasingly being punished. One of the UK’s largest insurance retailers, Swinton, hit the headlines last year when three of its senior executives were fined and removed from office because they had been responsible for a culture that led to the mis-selling of insurance add-ons in an attempt to boost profits. Peter Halpin, Anthony Clare and Nicholas Bowyer were together fined almost £1 million by the FCA, with Halpin prohibited from ever again acting as a chief executive of an FCA-authorized firm and Bowyer and Clare prevented from being able to hold a significant influence function at any FCA-authorized firm.

Enforcement activity: Prohibitions of individuals, FSA (2009-2013), FCA (2013-2014)

Source: FCA Annual Report 2013/14

In another recent case, Ian Hannam, a leading investment banker and former capital markets chairman at JPMorgan, was left fighting to clear his name following two accusations by regulators that he disclosed inside information to a third party about a potential takeover client. Hannam was fined £450,000.

This year, the former chief executive and the ex-compliance officer at Martin Brokers, David Caplin and Jeremy Kraft respectively, were between them fined £315,000 and banned from operating in influential roles at regulated firms following their involvement in overseeing the manipulation of the London Interbank Offered Rate (Libor). The FCA said that the individuals “contributed to a culture at Martins that permitted Libor manipulation to take place and enabled the misconduct to continue undetected over a prolonged period”. 3

In June 2014 the New York State Department of Financial Services was one of a number of regulators that took enforcement action against BNP Paribas. The violations included schemes designed to evade U.S. sanctions requirements which, with the knowledge of various senior executives, concealed more than $190 billion in transactions for clients in jurisdictions such as Sudan, Iran and Cuba (at the time subject to international trade sanctions). BNP Paribas was fined a total of $8.9 billion and forced to suspend U.S. dollar clearing operations for one year. Critically, the bank was also required to take action against senior executives and other employees. BNP Paribas took action against 45 employees. Disciplinary action included dismissals, cuts in compensation and demotion. Other significant ramifications were a budget of $268 million set aside to strengthen the bank’s compliance program; a new supervisory and control committee overseen by chief executive Jean-Laurent Bonnafė and the retirement of Jean Clamon, who had been BNP Paribas’s top compliance officer since 2008.4


Sanctions in the U.S. (2009-2014)

Also in the United States, in December 2013 Royal Bank of Scotland (RBS) was required to pay $100 million for violations in connection with transactions involving regimes and entities subject to international sanctions. Senior individuals who were found to have engaged in misconduct were also targeted as part of the enforcement action. Those who were dismissed included RBS’ head of banking services for Asia, the Middle East and Africa, and the head of its money laundering prevention unit for corporate markets.5

These examples of misconduct at senior levels have escalated conduct risk to the top of the agenda for both regulators and trading firms. The regulatory reporting requirements have never been stricter, as regulators hone in on mis-selling, rogue trading, insider trading and market abuse, hoping for more high-profile prosecutions. As a result, boards and senior managers now require information more often, and in more depth, to manage the organization’s compliance risks. Recent developments, including the EU Market Abuse Directive, the U.S. Dodd-Frank Act and the Hong Kong Monetary Authority’s consultation on an effective resolution regime for financial institutions, have put pressure on financial institutions to demonstrate that they operate with a more visible culture of compliance.

EVALUATING A FIRM’S RISK CULTURE, ASK YOURSELF 6…Board Staff

Is there a conduct risk management culture at all levels of the business?

Are there clear reporting lines?

Do managers feel they can raise risk-related issues? Do staff feel that they can raise risk-related issues?

Are managers’ ideas supported? Do they feel that concerns raised will be considered and/or acted upon?

Are staff comfortable questioning existing practices and suggesting more effective ways of doing things?

Are managers authorized to identify opportunities that reinforce, and issues that destabilize their risk appetite?

Do existing monitoring and reporting systems ensure that action will be taken when issues are raised?

Can the board demonstrate an effective “tone at the top”? Is conduct risk management part of the established way of planning and executing departmental activities?

*Includes sanctions resulting from expedited proceedingsSource: FINRA

0

100

200

300

400

500

600

700

800

0

100

200

300

400

500

Num

ber o

f Ind

ivid

uals

Sus

pend

ed

Num

ber o

f Ind

ivid

uals

Bar

red

363428

475

705670*

549383

288329

294

429*

481

2009 2010 2011 2012 2013 2014 2010 2011 2012 2013 2014

*Includes sanctions resulting from expedited proceedingsSource: FINRA

2009


OTHER TOOLS AVAILABLE TO REGULATORSOnce too big to fail, now too big to manage The past year has seen a breakdown in culture at some of the biggest banks. Regulators have questioned whether their size and complexity might be at the heart of this cultural dysfunction. If firms are consistently on regulators’ radars for bad behavior, they risk being broken up and deemed “too large to manage”.

The Financial Stability Board, a policy-making body under endorsement of the G20, is driving risk culture, risk appetite and expectations of chief executive officers and chief risk officers.

In the United States, the Office of the Comptroller of the Currency (OCC) recently adopted “heightened expectations” to help firms strengthen supervision, as well as the practices of risk management and governance, and stressed that effective talent management was necessary to foster the right kind of culture for a compliant organization.

In the UK, the proposals outlined in the Senior Managers Regime promote a sense of accountability and compliant behavior in the industry, while also drawing clear lines of responsibility. The PRA and FCA will require any application for an individual who performs a senior management function (SMF) be supplemented with a statement that outlines the responsibilities assigned to that person, including details of any specific management duties they hold.

All relevant firms except small credit unions

small credit

unions only

MANDATORY PRA SMFs

Approval required if individual manages an area with gross total assets of £10bn or more, AND/OR which accounts for either 20% or more of the firm’s revenues, or (if the firm is part of a group), 20% of the group’s gross revenue.

Mop up function: covers individuals with overall responsibility for a key function or identified risk, who are performing a function which is not otherwise specified as an SMF requiring approval by the FCA or PRA.

TEST to be applied by firms: a person should be approved to perform a Significant Responsibility SMF if the Board has delegated to them overall responsibility for a particular function and they are primarily responsible for reporting to the Board in respect of that function.

PRA senior management functions

FCA senior management functions

Non executive oversight functions

Non executive

SMF3: Executive director

SMF9: Chairman

SMF1: Chief executive

function

SMF2: Chief finance

function

SMF4: Chief risk function

SMF5: Head of internal

audit

SMF7: Group entity

senior manager

SMF6: Head of key

business area

SMF8: Credit union

senior manager

SMF10: Chair of risk committee

SMF11: Chair of audit

committee

SMF12: Chair of remuneration

committee

SMF14: Senior independent

director

SMF17: Money laundering

reporting

SMF18: Significant

responsibility senior manager

SMF16: Compliance

oversight

SMF13: Chair of nominations

committee

Executive Executive

Source: New regime for bank staff - Part 1 - Senior Persons, Jane Walshe, Compliance Complete


The attestation processAn attestation is a signed declaration by a senior manager accepting clear responsibility for decision-making at the top level. It is a simple but effective process employed by regulators to encourage a CEO or chairman to garner a greater understanding of compliance throughout their organization. There is no attestation process in place for all rules and regulations at the moment, but this may change in the future.

Indeed, regulators are already rumored to be considering extending the attestation process to cover further senior manager functions. The immediate threat of culpability should be considered a last resort; one would hope that the senior managers of today’s financial institutions would act in the best interests of both their organization and the wider world.

Boardroom agendasThe ever-evolving landscape, coupled with the heightened scrutiny of regulators, has made it increasingly difficult for boards to maintain sound risk practices, and there is a clear downside if things go wrong. With the increased level of regulatory action focused on individual accountability, senior managers and the board need to ensure that an established culture of compliance filters through to all levels of the business.

Firms that could not justify the cost of additional compliance staff are now realizing the benefits of investing in that area. Effective compliance guards the firms against reputational damage, costs from enforcement penalties, lengthy civil and criminal prosecutions, and strained relationships with regulators.

Regulatory matters must remain high on the agenda so that firms can understand proposed changes and allocate additional resources where necessary.

THE TECHNOLOGY REVOLUTION: A COMPLIANCE SOLUTIONCompliance officers are rapidly adopting technological solutions to help them monitor and manage regulatory change across all jurisdictions in which their firms operate.

Automated processes which monitor and manage the lifecycle of each regulatory change and determine its applicability to the business can be invaluable technical tools that encourage individual ownership and engender a sense of responsibility to ensure that correct procedures and a proper audit trail are in place. A well-crafted compliance program can streamline the compliance process and clearly document the steps taken to deal with regulatory requirements before regulators highlight any problems.

Recent revelations about FX and Libor rate rigging, as a result of collusion on messaging systems, illustrate that technology can also facilitate bad conduct, however, the prohibition of chat rooms will not help. If bad conduct does not take place online, then it will simply occur elsewhere. Individuals need to be educated about proper codes of conduct and be publicly punished for any wrongdoing.7

It is indicative of the change in the regulatory environment that internal and external communication channels, including chat rooms, are being used as cultural signifiers. The widespread abuse of chat rooms to collude, price-fix, share sensitive information or engage in other forms of market manipulation can indicate a potentially poor culture in an organization. The opposite is also true: a firm that uses chat rooms responsibly will be able to demonstrate a strong, risk-aware culture.8


Leading technologies can monitor all user-generated content on chat rooms and in internal and external communications, picking up relevant word groupings. These types of controls enable compliance managers to automate their compliance programs and drastically reduce the time required to track employee activities.

THE ROLE OF COMPLIANCE“Internal gatekeepers play just as vital a role in compliance. Compliance officers must design, test, and update firm policies. Firm management and the board generally must approve these policies and monitor compliance within them. Executives, hopefully with the help of a good chief compliance officer, must establish a strong ‘tone at the top’. Because, as we all know, the compliance function won’t work without buy-in and commitment at the top.” Commissioner Kara Stein, U.S. Securities and Exchange Commission

The role of the compliance officer is one of assistance: helping the board and senior managers with monitoring, advising and formulating policy; providing a strong overview of the regulatory environment and regular support to the chief executive; and arming those at the top with the appropriate material and training to execute their roles. Managers need to instil processes and controls that lead to strong internal cultures, but with compliance omnipresent in the current regulatory environment, ensuring that the right training is in place and that employees are up-to-date with the firm’s risk appetite are areas where senior managers and compliance should work hand-in-hand.

Where staff are engaged in specialized activities, training must also be specialized. There will always be a place for generic training, but this must be enhanced by relevant, job-specific and bespoke training combined with practical examples relevant to the firm’s business activities.

IF SOMETHING WAS NOT RECORDED, IT DID NOT HAPPENIn the future, regulators will hold senior managers accountable for negligence or misconduct and request that they be relieved of their responsibilities. For many compliance professionals, the explicit management of their own personal regulatory risk must be accommodated into an already saturated role. Personal archives including, where possible, all board and other meeting minutes providing evidence of any challenges of or engagement by the individual will prove invaluable. Regulators are understood to be pursuing a standardization of the data and information they expect senior managers to capture and record. This will include an explicit suite of documents that the compliance officer must complete and store in a secure but easily accessible place.

BRAVING THE NEW WORLDPersonal liability looks set to become the focus of still more attention. If senior managers are to survive, they must fully understand the regulatory environment and challenge information when necessary. They should delegate with care, since delegation does not discharge responsibility. If, however, delegation is backed by thoughtful, informed decisions, it can be an effective tool for managing responsibilities. Individuals rather than firms will face repercussions, including fines and sanctions for misconduct, but the provision of deep, conclusive evidence can help to prevent this. With hard work, a reliable, compliant workforce and good intentions, senior managers can prepare themselves for the road ahead.


References1, 2 Ten things compliance officers need to do in 2015, Susannah Hammond, Compliance Complete

3 Financial Conduct Authority: http://www.fca.org.uk/news/two-former-senior-executives-of-martin-brokers-fined-and-banned

4, 5 The Rising Costs of Non-Compliance: From the End of a Career to the End of a Firm, http://accelus.thomsonreuters.com/special-report/rising-costs-non-compliance-end-career-end-firm

6 Compliance and Conduct Risk Webinar: http://info.accelus.thomsonreuters.com/Webcast-Materials-Compliance-and-conduct-risk

7, 8 Chat rooms: the good, the bad and the downright ugly, Susannah Hammond, Compliance Complete

© 2015 Thomson Reuters GRC02296/3-15

The Thomson Reuters Governance, Risk & Compliance (GRC) business delivers a comprehensive set of solutions designed to empower audit, risk and compliance professionals, business leaders, and the Boards they serve to reliably achieve business objectives, address uncertainty, and act with integrity.

Thomson Reuters Accelus connects business transactions, strategy and operations to the ever-changing regulatory environment, enabling firms to manage business risk. A comprehensive platform supported by a range of applications and trusted regulatory and risk intelligence data, Accelus brings together market-leading solutions for governance, risk and compliance management, global regulatory intelligence, financial crime, anti-bribery and corruption, enhanced due diligence, training and e-learning, and board of director solutions.

THOMSON REUTERS ACCELUS™

For more information, visit accelus.thomsonreuters.com

Documents

THE COMPLIANCE EFFECT: MITIGATING THE LIABILITY OF … accelus...Enforcement activity: Prohibitions of individuals, FSA (2009-2013), FCA (2013-2014) Source: FCA Annual Report 2013/14