Brener 2020 Reality Vs Regul Concept Compliance Function As Gatekeeper

Download as pdf or txt
Download as pdf or txt
You are on page 1of 19

The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 965

The Role of Compliance as a ‘Gate-Keeper’ Function in


Financial Services: Reality vs Regulatory Conception

Alan Brener*

Abstract

This paper examines aspects of the role of the compliance department and the com-
pliance officer, in the context of a range of control functions, in firms subject to finan-
cial services regulation. The issues and recommendations have global application
beyond the UK.
The traditional expectation is that the compliance operation advises senior man-
agement on the various regulations, and monitors and report adherence to regulatory
requirements. However, this paper proposes that the compliance function needs to go
further and venture beyond what some may consider its more conventional roles.
Additionally, this paper questions the extent boards and regulators can place reli-
ance on the compliance functions and the compliance officer. This will depend on a
number of factors including the compliance units’ ‘authority’ within the business,
their professionalism, and their ethical attitudes set within the context of the firm’s
own cultures.

Keywords

Financial services, compliance, control functions, regulation, ‘three-lines of defence’,


Senior Managers Regime, compliant culture, risk management.

Background

It has been a regulatory mantra for many years that good compliance is good business.
It has also been part of ‘the strategy adopted by lawyers and internal ‘compliance
champions’ who seek to persuade business leaders that it is in their own long-term
self-interest to comply’.1 This approach has formed part of a range of measures which
over the decades have tried to encourage firms to act compliantly. These have included
a focus on business and compliance processes and controls, the removal of incentives
scheme which may supported non-compliant behaviours, regulatory sanctions against

*
Teaching Fellow at University College London and Queen Mary University London, UK.
1
Christine Parker and Vibeke Lehmann Neilsen, Deterrence and the Impact of Calculative Thinking
on Business Compliance with Competition and Consumer Regulation 56 The Antitrust Bulletin 377-
426, 384 (Summer 2011).

Brener, Alan. ‘The Role of Compliance as a ‘Gate-Keeper’ Function in Financial Services: Reality vs
Regulatory Conception’. European Business Law Review 30, no. 6 (2019): 965-984.
©2019 Kluwer Law International BV, The Netherlands
966 Alan Brener

the regulated firm, the employment of regulatory principles exhorting the right con-
duct (e.g., ‘to treat customers fairly’), individuals held personally accountable by the
regulators etc. Nevertheless, in the UK, since the late 1980s there has been a growing
focus and reliance on the regulatory ‘gate-keepers’. This paper considers aspects of
the role of one of these functions: the compliance department and its leader: the com-
pliance officer.
The financial services regulatory system in the UK, and in a number of other juris-
dictions, relies upon a number of individuals and bodies operating within regulated
firms to promulgate the requirements of the regulators within these firms, to monitor
their implementation, to report significant issues to the senior executives and board,
and to keep the regulators informed of developments. The regulatory system can only
work successfully if these ‘insiders’ operate consistently with regulatory requirements
and expectations.
These ‘insiders’ include individual board directors operating within a corporate
governance framework and a range of specialist ‘gatekeepers’ including the general
counsel and the ‘control functions’ covering, among others, risk directors, compliance
officers, and senior internal audit managers. The role of boards in banking has been
reviewed.2 It is now subject to greater regulatory focus under the Senior Management
and Certified Persons Regime (SM&CR).3 There is also a growing interest in the work
of the gate-keeper functions.4 There has also been work on the role of ‘in-house’
corporate lawyers and general counsel.5 However, almost no empirical or analytical
work has been undertaken on the role of the control functions.6

The Process of Role Change

More is now expected of the compliance officer and their team and they are ‘subject
to ongoing and significant change, particularly in the UK’.7 The Basel Committee on
Banking Supervision (the Basel Committee or BCBS) has produced a summary of

2
David Walker, A Review of Corporate Governance in UK Banks and Other Financial Industry
Entities: Final Recommendations, (November 2009), <http://webarchive.nationalarchives.gov.uk/+/
www.hm-treasury.gov.uk/d/walker_review_261109.pdf>, (accessed 9 May 2018).
3
Financial Conduct Authority (FCA) website, Senior Managers and Certification Regime: Banking,
https://www.fca.org.uk/firms/senior-managers-certification-regime/banking, (accessed 31 January
2018).
4
Iris Chiu, Regulating (From) the Inside: the Legal Framework for Internal Control in Banks and
Financial Institutions (London, Bloomsbury, 2015).
5
Richard Moorhead, Precarious Professionalism: Some Empirical and Behavioural Perspectives
on Lawyers 67 Current Legal Problems 447-481 (2014).
6
In 2006/7 Sharon Gilad undertook some empirical work on the role of compliance officers
in financial services firms. See Christine Parker and Sharon Gilad, Internal Corporate Compliance
Management Systems: Structure, Culture and Agency in Christine Parker and Vibeke Lehmann Nielsen
(eds), Explaining Compliance: Business Responses to Regulation (Cheltenham, Edward Elgar, 2011).
7
Deloitte website, The Changing Role of Compliance, <https://www2.deloitte.com/content/dam/
Deloitte/global/Documents/Financial-Services/gx-financial-changing-role-compliance.pdf>, (accessed
17 August 2018).
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 967

compliance areas of responsibility.8 The over-arching aim is for the compliance func-
tion to ‘assist senior management in managing effectively the compliance risks faced
by the bank’ including ‘monitoring compliance with the policies and procedures and
reporting to management’.9 ‘The compliance function should advise senior manage-
ment on compliance laws, rules and standards… establishing written guidance to staff
on the appropriate implementation of compliance laws, rules and standards through
policies and procedures and other documents such as compliance manuals, internal
codes of conduct and practice guidelines’.10
However, this paper proposes that the compliance function needs to go further and
venture beyond what some may consider its more conventional roles. This may
include:

– devising and implementing a training programme for staff in the business;


– providing a form of ‘internal consultancy’ on regulatory and the compliance
arrangements and their implementation;
– pro-active intervention to influence business strategy and product development.
This includes compliance senior staff sitting on the product approval committees
with a right of veto over new products being launched.

Additionally, this paper questions the extent to which reliance can be placed by both
the boards of regulated firms and the regulators on the compliance functions and, in
particular, the senior staff responsible for these areas. The results will depend on a
number of factors including the role of these individuals, how they and others perceive
this role, their ‘authority’ within the business, their professionalism, individual expe-
rience and training and their ethical attitudes set within the context of the firm’s own
cultures.

The Compliance Department

The origins of compliance departments in financial services firms can be traced back
to the rule-books of the first self-regulatory organisations established in the early
1990s under aegis the Financial Services Act 1986.11 Much of the current Conduct of
Business regulatory rule-book has adopted the rules set-out in the early 1990s by the
Life Assurance and Unit Trust Regulatory Organisation (Lautro) governing invest-
ment business marketing and distribution. The guidance produced for compliance
departments at that time remains relevant.12

8
Basel Committee on Banking Supervision, Compliance and the Compliance Function in Banks,
Principle 7, 13-14, (2005), <https://www.bis.org/publ/bcbs113.pdf>.
9
Ibid, at 13.
10
Ibid, at 7.
11
For example, Kit Jebens, Lautro: a Pioneer Regulator 1986-1994 (private printing, in author’s
collection 1997), 68.
12
Alan Brener, The Golden Threads of Compliance 3 Journal of Financial Regulation and
Compliance 344-349 (1995).
968 Alan Brener

More recently the Basel Committee on Banking Supervision has set out the basis
for the Compliance function. It should have a ‘formal status within the bank to give
it the appropriate standing, authority and independence. This may be set out in the
bank’s compliance policy or in any other formal document. The document should be
communicated to all staff throughout the bank’.13 The Committee states that this
policy document should set out the compliance department’s roles and responsibilities
and:

• the measures taken to ensure its independence;


• its relationship with other risk management functions within the bank and with
the internal audit function;
• in cases where compliance responsibilities are carried out by staff in different
departments, how these responsibilities are to be allocated among the depart-
ments;
• its right to obtain access to information necessary to carry out its responsibili-
ties, and the corresponding duty of bank staff to co-operate in supplying this
information;
• its right to conduct investigations of possible breaches of the compliance policy
and to appoint outside experts to perform this task if appropriate;
• its right to be able freely to express and disclose its findings to senior manage-
ment, and if necessary, the board of directors or a committee of the board;
• its formal reporting obligations to senior management; and
• its right of direct access to the board of directors or a committee of the board.14

The Compliance Function: UK Regulations

The increased regulatory dependence on the compliance function is highlighted by


the regulatory protection afforded to this area. Since March 2016 the Financial Con-
duct Authority (FCA) Rules have required that there is a senior manager responsible
for ‘safeguarding the independence and having oversight of the performance of the
compliance officer’.15
The Rules specify that regulated firms must ‘maintain a permanent and effective
compliance function which operates independently and which has the following
responsibilities: to monitor and, on a regular basis, to assess the adequacy and effec-
tiveness of the measures and procedures put in place in accordance with and the
actions taken to address any deficiencies in the firm’s compliance with its obligations
and to advise’ those in the business regarding regulated activities.16
The Rules go onto require the regulated firm to ensure that the compliance function
must have the necessary authority, resources, expertise and access to all relevant

13
Basel Committee, Compliance and the Compliance Function in Banks, 11, see n8 supra.
14
Basel Committee (2005), 11, supra n 8.
15
FCA Supervisory Handbook (SUP) 10C.4.3R.
16
FCA Handbook SYSC 6.1.3R.
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 969

information; a compliance officer must be appointed and must be responsible for the
compliance function.17 There are also various requirements designed to prevent pos-
sible conflicts of objectives in this area including ensuring that the remuneration of
the compliance officer does not compromise their objectivity and must not be likely
to do so.18

The Minimum Requirements of a Compliance Function

A key role of the compliance function can be summarised as the preparation and
promulgation of compliance policies, the provision of advice on compliance matters,
the checking and assessment of new products and procedures and monitoring and
reporting to the firm’s management how these policies are applied.19 This requires
the existence of a permanent and effective compliance function headed by the com-
pliance officer.20
The EBA Guidance merely notes that the findings of the compliance function
should be taken into account by the management body and the risk control function
within the decision-making process.21 Moreover, the compliance function also needs
to be forward looking and to advise the firm’s management ‘on laws, rules, regula-
tions and standards the institution needs to meet and assess the possible impact of any
changes in the legal or regulatory environment on the institution’s activities’.22 How-
ever, these requirements are only a bare minimum and on their own fail to set out the
much fuller role necessary for a fully effective compliance function.
Compliance operations are central to a company being compliant. Compliant sys-
tems are necessary but not sufficient. It is ‘compliance management … combin[ing[
management, resources, values, and formal compliance management systems’, which
makes a difference.23 However, there may be danger in confusing cause and effect
and it may be that it is an indicator of a compliant business that it has good compli-
ance management.

‘In Loco Moderator’

It is impossible for the regulator to be present in a firm at all times; nor should it be
necessary for the regulator to always be on-site. It is a central concept of regulation

17
SYSC 6.1.4R.
18
SYSC 6.1.4 (3) and (4).
19
European Banking Authority, Guidelines on Internal Governance (GL 44), 11, and 43, (2011),
<https://www.eba.europa.eu/documents/10180/103861/EBA-BS-2011-116-final-EBA-Guidelines-on-
Internal-Governance-%282%29_1.pdf>, (accessed 20 August 2018).
20
Ibid. (EBA Guidelines), at 43.
21
Ibid. (EBA Guidelines), at 43.
22
Ibid. (EBA Guidelines), at 43.
23
Christine Parker and Vibeke Lehmann Nielsen, Corporate Compliance Systems: Could They Make
Any Difference? 41 Administration and Society 3-37, 28 (2009).
970 Alan Brener

that the firm and its management should take ownership for their good compliance
with the regulations. To ensure this one of the key functions of the compliance func-
tion is to stand in for the regulator and to provide assurance to senior management
and the board and to the regulators and other stakeholders that compliance risks are
being properly managed. There is also a danger that there is a possible mis-match
between regulatory expectations and what is doable by compliance. Moreover, the
role of compliance has gained in breadth over the years and there is a risk compliance
tries to cover all aspects of the business. This is likely to destroy the focus of the
function. It is, moreover, difficult to determine the nature of the relationship between
regulatory supervisory teams and compliance functions. It should be based on trust.
This relationship is crucial for all stakeholders and should be a matter for both busi-
ness board and executive close interest and possible intervention since it may have a
direct effect on the success the of business itself.
The compliance department needs to be ever present in the regulated firm with a
deep understanding of the business and its drivers. However, there is a natural ten-
dency for any risk management sector to try to limit its areas of responsibility and to
set boundaries to both its scope and powers. The aim would be to try and avoid blame
if, and when, an issue arises in an area beyond the set boundary. This is particularly
an issue with aspects of anti-money laundering where success depends on access to
sufficient IT resources. Further, the compliance function has also suffered from the
fact that the finance department has both undertaken the operational aspects of pru-
dential compliance and ensured its own compliance. Dialogue with the regulator is
held directly with the finance division with little role for compliance.24
Additionally, compliance in UK has no professional body nor recognised training
programme. Other gate-keeper functions all have their professional bodies. Attempts
have been made in the UK to remedy this position. These have all failed for a variety
of reasons including lack of regulatory support, no conceptual underpinning to the
role and purpose of the function and a commensurate lack of authority in many organ-
isations. This is an aspect that the regulators should seek to address.
In contrast to the US, senior compliance staff in the UK banking sector tend to be
recruited from regulators, other compliance departments and line business areas. Very
few have legal backgrounds. This may reflect the needs of the business to have peo-
ple who understand how the regulators think and who have a sound knowledge of
business processes. A fuller analysis is provided in the appendix to this paper.

The Compliance Function and Risk Management

The role of compliance within a regulated firm is often seen in the context of compli-
ance risk management. So, for example, the European Banking Authority expects

24
KPMG, The Future of Compliance, 27 (2012), <https://www.int-comp.org/media/1048/kpmg-
future-of-compliance_web_acc4.pdf>, (accessed 20 August 2018).
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 971

regulated firms to set a ‘risk tolerance’ or ‘appetite’.25 These terms are described as
being interchangeable ‘to describe both the absolute risks an institution is a priori
open to take (which some call risk appetite) and the actual limits within its risk appe-
tite that an institutions pursues (which some call risk tolerance)’.26 The role of the
compliance function is to manage compliance risk which is defined as ‘the current or
prospective risk to earnings and capital arising from violations or non-compliance
with laws, rules, regulations, agreements, prescribed practices or ethical standards)
[which] can lead to fines, damages and/or the voiding of contracts and can diminish
an institution’s reputation’.27
The compliance function can be said to have two duties: a contractual duty to their
employer to identify, to manage and to report compliance risks and a more nebulous
responsibility to the public good to prevent these risks becoming manifestly signifi-
cantly harmful. They may be said to have taken on the ‘insider’ role of guardians of
the public interest. However, fulfilling these roles is contingent on determining what
is compliance risk.

The Identification and Assessment of Compliance Risk

‘Compliance risk’ identification requires both ‘risk assessment and risk management’
which need to be ‘aligned to corporate goals” and the setting of “compliance objec-
tives [and] systematic procedures for risk identification and reporting’ with a special
focus on emerging risks.28 The approach by the compliance function needs to equate
to the organisation’s ‘risk appetite’, again, as mentioned, a term borrowed from risk
methodology.29 In risk terms this means having in place adequate systems of internal
control which help identify, mitigate and report compliance risks.
The approach taken by compliance departments in assessing risk may appear to be
very objective; reinforced by the use of complex statistics. In outline it usually
involves the preparation of extensive lists of possible issues covering every aspect of
a business and assigning an ‘inherent’ risk score to these problems occurring followed
by risk mitigation controls and an assessment of the effectiveness of these controls
leaving a ‘residual’ or uncovered risk which may require further mitigation depending
on the institutions ‘risk appetite’. The result may be a vast database which can be
manipulated and used to produce compliance risk “heat maps” employed to identify
areas for increased monitoring and surveillance. Statistical analysis may be employed
to assess these risks using a form of cost/benefit analysis. These techniques may

25
EBA Guidelines, at 8, supra n19.
26
EBA Guidelines, at 11, supra n19.
27
EBA Guidelines, at 43, supra n19.
28
KPMG, Clarity on Compliance: the Future of Compliance, 10 (2016), <https://assets.kpmg.com/
content/dam/kpmg/pdf/2016/06/ch-clarity-on-compliance-en.pdf>, (accessed 20 August 2018).
29
Ibid. (KPMG), at 48.
972 Alan Brener

include ‘minimax’ algorithms and ‘pandora’ or ‘Renn’ assessment where there is a


low probability of the risk manifesting itself but the impact could be very high.30
There are a number of issues with risk-based assessments. These include approaches
which appear superficially, to be statistically rigorous but include substantial untested
value judgements. They may also be used to justify the end result with the calcula-
tions and assessment tweaked to produce the desired outcome. Further, ‘they hold out
the promise that the challenges and complexities of regulation can be rationalised,
ordered, managed, and controlled. But whilst the picture is tempting, risk-based
frameworks entail the risk of process-induced myopia’.31 The process may blind the
operators and stakeholders to the real risks.
Further Boards and senior executives may see regulatory issues as technical mat-
ters best left to specialists in the legal and compliance teams. It is a challenge for the
regulators to gain, and retain, the attention of the regulated firm’s senior management
and board. The regulator needs to ‘leverage their disciplinary actions to demonstrate
the moral wrong by the transgressor – that it is not just a breach of some technical set
of rules but that their actions have harmed particular individuals’.32
However, much of these assessments are based on judgements which go beyond
the technocratic.33 It may based on what is possible within the IT and operational
constraints of an organisation, the balance of power within the firm and an assessment
of the regulator’s intentions and interests.

The Compliance Function as an Intermediary

The scope of regulation affecting banking has grown and evolved over the last thirty
years to cover many more areas of the business with further demands for additional
compliance staff.34 Consequently, the role and function of a compliance department
in UK has expanded and become of existential importance to the business and within
society.
Acting as an interlocutor between the regulators and the firm is central to the role
of the compliance function. There is considerable scope for a misunderstanding
between the two. Often the language used by regulators means little to those working

30
Government Office For Science, Blackett Review of High Impact Low Probability Risks, 17-18
(2011), <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/278526/12-519-
blackett-review-high-impact-low-probability-risks.pdf>, (accessed 20 August 2018).
31
Julia Black, The Emergence of Risk-Based Regulation and the New Public Risk Management in
the UK, Public Law 512, 521, (2005).
32
Christine Parker, The ‘Compliance’ Trap: the Moral Message in Responsive Regulatory
Enforcement 40 Law and Society Review 591- 622, 602 (September 2006).
33
Julia Black and Robert Baldwin, When Risk-Based Regulation Aims Low: A Strange Framework
6 Regulation and Governance 131-148, 146 (2012).
34
City AM, Why those with a head for compliance and regulation are in hot demand, as skills
shortages cause salaries to rise, (29 March 2016), <http://www.cityam.com/237667/why-those-with-a-
head-for-compliance-and-regulation-are-in-hot-demand-as-skills-shortages-cause-salaries-to-rise>.
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 973

within the business. The rules and guidance are frequently drafted in generic and open
textured styles while internal communications of instructions within a business are
usually terse and to the precise point often incorporated into sets of operational
instructions. Similarly, the actions of the business need to be communicated back to
the regulators in terms that the latter will understand.
Consequently, the compliance staff need to ‘operationalise’ regulatory rules and
guidance for use within the firm in terms that will resonate with staff that need to
apply them in their day-to-day work.35
In summary, the compliance unit has five key functions:

• identifying the risks that a firm faces and advise on them (identification)
• designing and implement controls to protect a firm from those risks (prevention)
• monitoring and report on the effectiveness of those controls in the management
of an organisation’s exposure to risks (monitoring and detection)
• resolving compliance difficulties as they occur (resolution)
• advising the business on rules and controls (advisory).36

Compliance in Operation

The compliance function faces a number of significant issues in carrying out its
increasingly wide-ranging roles. The first is knowing the business. The compliance
operation can be said to stand in place of the regulator within the business and con-
sequently, the latter would expect the compliance function to understand the business
in considerable depth. In a complex business spread over many locations and jurisdic-
tions this may be very difficult.
Second, compliance needs to understand the requirements of the regulations and
regulators. This means appreciating all the sources of regulation (eg primary and
secondary legislation, regulatory rules and ‘guidance’ and the importance of regula-
tory reports and speeches). Closely, linked to this is the third important task of devel-
oping a high level of trust with the regulators. The broadly drawn regulations and
highly discretionary element in UK regulation mean that all firms are always in breach
of one or more rules and consequently, the importance of establishing and maintain-
ing relationships of trust with the regulators is crucial to the success of the compliance
function and, hence, the regulated business. This requires that compliance is under-
taken proactively, including embedding the compliance function within the business
strategy and product and process development systems.
Part of this approach requires a considerable knowledge of what is going on within
the business. This could include adopting a technique developed by the Prussian
general staff in the mid-19th century of the ‘directed telescope’ to control army and

35
International Compliance Association (ICA) web-site, <https://www.int-comp.org/careers/a-
career-in-compliance/what-is-compliance/>, (accessed 23 January 2018).
36
Ibid., (ICA web-site).
974 Alan Brener

corp units in the war with Austria in 1866. Essentially, this means having compliance
staff reporting to the centre based in each of the significant businesses and operational
areas. However, this may be at odds with the discredited ‘three lines of defence’ model
currently adopted by many large regulated firms. This issue is considered later in this
paper. There are further important sources of information including customer com-
plaints and ‘whistleblowers’ who often have information based on their own knowl-
edge and observations.
Understanding the compliance risks faced by the business includes analysing both
‘upstream risk’ (i.e., potential risk which have still to come into focus such as draft
legislation) and ‘downstream risk’ where the issues are clear (e.g., legislation which
has been enacted but not yet implemented). Compliance will need to have a unit
monitoring and assessing these risks to determine the need to make representations
to, for example, legislators and to prepare the business in time for changes required
to address these risks.
The compliance unit will also need to be deeply embedded in business strategy
development including the formal sign-off processes (e.g., for business strategies,
acquisitions, significant business restructuring, product development and marketing
etc). It is important, as will be discussed later, that compliance has sufficient author-
ity in the business to be able to say ‘no’ and to halt a project.
The compliance unit will also be responsible for monitoring aspects of the busi-
ness, testing and reporting and follow up. The areas selected for checking will depend
on how compliance risk is assessed. This element is considered later. Compliance
must be tenacious. It must never let go until it is completely convinced that the prob-
lem issues have been adequately resolved and that this has been evidenced. This
requires both drive and a sense of urgency. Regulatory enforcement has demonstrated
weaknesses in these areas.37

Inter-action by the Compliance Unit with Other Stakeholders

The compliance unit, and especially the compliance officer, need to have a very close
relation, based on mutual trust with the chairman of the main board and the board
audit and risk committee or its equivalent. There is a strong argument for the compli-
ance officer to be a member of the business executive committee and for the chief
risk officer to be on the main statutory board. All these aspects have grown in impor-
tance with the implementation of the SM&CR which affixes personal responsibility
and liability on many board members and other key individuals in the firm including
the compliance officer.

37
FCA, UBS AG, Final Notice re Kweku Adoboli (25 November 2012), <https://www.fca.org.uk/
publication/final-notices/ubs-ag.pdf>, and FCA, JPMorgan Chase Bank, Final Notice re Bruno Iksil
(‘London Whale’) (18 September 2013), <https://www.fca.org.uk/publication/final-notices/jpmorgan-
chase-bank.pdf>, (both accessed 20 August 2018).
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 975

It is equally important that there is a bond of trust between the compliance officer,
and their team, and the supervisory sections within the regulator. The latter must be
confident that the compliance unit will notify it of any significant issues very promptly
and will be open in its disclosure of information. Any failure to report material issues
very swiftly will always make the issues worse and undermine regulatory confidence.
A trustworthy compliance function is more likely to be trusted by the regulator to
carry out a thorough ‘root-cause’ analysis and quickly to provide an unvarnished
report on the issues and their resolution unvarnished. This may spare the business
further regulatory intervention and enforcement action. Finally, there needs to be a
close relationship between the compliance function and the other control functions
(e.g., internal audit and risk). This should also include the general counsel and legal
department.

Possible Risks Faced by the Compliance Unit

It is evident, in the past, that in some companies that compliance staff have not been
properly selected and trained and there has been little professional development.
There is a risk that they may lack the necessary strength of character nor have the
ability and skills for such an important role. In addition, compliance functions face
an ever growing remit and possible overload. Since everything a business does is
subject to regulation there is a considerable danger of compliance being too thinly
spread and in trying to defend everything fails to protect anything.
There are further risks that elements of the compliance function may be out-
sourced and some firms become too dependent on the use of external consultants. All
these factors pose significant risks for the business. The regulator will be aware of
these potential issues and may judge the senior management of the firm accordingly.

‘Three Lines of Defence’

There is a perception by the regulators, and this is reinforced in the regulations, that
businesses are structured in the form of strict hierarchies. However, in practice firms
are much more fluid operating through informal networks which frequently change
with responsibilities often moving depending on the task or issue in-hand. This poses
issues for both regulators and firms since these undocumented arrangements are often
not understood or appreciated by the regulated business itself nor by the regulator.
Second, issues with corporate structures are compounded by a management theory,
supported by the regulators, known as the ‘three lines of defence’ which has been
widely adopted and is still prevalent in the financial services industry. In essence it
divides the roles of ensuring control of risks and compliance into three with the front-
line business functions taking primary responsibility for risk management and regu-
latory compliance with a second line of control functions, such as the compliance
department, checking and reporting on the effectiveness of the first line backed up by
976 Alan Brener

the firm’s internal audit function providing a third and final line of defence. The
theory sounds conceptually attractive but it is difficult to operate successfully and has
been described as providing ‘a wholly misplaced sense of security … responsibilities
have been blurred, accountability diluted, and officers in risk, compliance and internal
audit have lacked the status to challenge front-line staff effectively. Much of the sys-
tem became a box-ticking exercise whereby processes were followed, but judgement
was absent’.38
A recent regulatory review found that ‘understanding of the role and purpose of
the compliance function was sometimes not clear’ within the business ‘or had become
blurred by the addition of control functions to the” first line of defence’.39 The ‘three
lines of defence’ model may have also promoted the use of an ‘accountability firewall’
‘to prevent those in senior positions having a strong sense of personal engagement
with and responsibility for failings and misconduct within their line of management’.40

A Compliant Culture

As has been pointed out compliance and non-compliance exist on a spectrum.41 In


many instances it is difficult to determine whether an action or omission is compliant
or not without understanding the particular context and the circumstances of the issue
at hand. Consequently, there is often a process of interpretation and even negotiation,
frequently, undertaken by senior compliance staff. This has been described as a ‘range
of strategies by which [individuals] respond to and negotiate external regulation and
internal compliance systems’.42 This process has to be based on common understand-
ings which form part of the culture of an organisation.
The result is that before accepting the post as a newly appointed compliance offi-
cer they need to assess the culture of the bank they plan to join. They would need to
think very carefully if they perceive that the culture is inadequate. In these terms a
organisation’s culture has been defined as ‘the tacit understandings, habits, assump-
tions, routines, and practices that constitute a repository of unarticulated source mate-
rial from which more self-conscious thought and action emerges … culture thus
mediates between structure and agency, that is, between formal compliance system
and strategic action’.43 It provides filters through which individuals perceive the

38
Report of the Parliamentary Commission on Banking Standards, Changing Banking for Good, Vol.
I: Summary, and Conclusions and Recommendations, HL Paper 27-I HC 175-I, 141 (2013), <https://
www.parliament.uk/documents/banking-commission/Banking-final-report-volume-i.pdf>, (accessed 20
August 2018).
39
FCA, The Compliance Function in Wholesale Banks, para. 22.3 (November 2017), <https://www.
fca.org.uk/publication/research/the-compliance-function-in-wholesale-banks.pdf>, (accessed 20 August
2018).
40
Ibid., (PCBS report), at 283.
41
(Parker and Gilad), at 175, supra n6.
42
(Parker and Gilad), at 176, supra n6.
43
Ibid..
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 977

c­ ompliance system and other aspects of social structure, and through which they
conceive of possible responses.44
Without the right business culture all regulations are likely to be futile. The FCA
are conscious of this issue. ‘Financial services is still about the money and about fear
– including fear of the regulator. I talked recently to a senior executive who told me
that fear had driven them to make radical and rapid change for the better. However,
she told me that it was a very effective source of motivation but it wasn’t personally
sustainable for the long term. So, fear can’t be the only source of motivation’.45 It is
often summarised in the trope that ‘culture eats process’ and it is to process that this
paper next turns.

Compliance and Process-Based Regulation

Much of the regulation governing the UK financial services industry is process ori-
entated. The regulation set an objective (e.g., the firm must ‘determine whether the
customer has the necessary experience and knowledge to understand the risks related
to a particular product’).46 However, the regulators will leave it to the firm to devise
the appropriate process to achieve this end. This will include how the process is
monitored and the results reported.
This has been described as the government taking on the role of a ‘meta-manager’,
as it seeks ‘to guide and motivate firms to order their own economic activity in a way
that is more aligned with social interests’.47 Others have described it as ‘enforced
self-regulation’.48 It requires cooperation on the behalf of the regulated firm with the
regulator in a spirit of trust and responsibility. The regulators will monitor and enforce
compliance both to ensure protection of the public interest and also to protect and
encourage those firms that have acted responsibly in meeting the regulatory objec-
tives. The compliance function has a central role in fulfilling these objectives. That
the business management are trustworthy is central to this concept.
Meta-regulation has many advantages since by setting regulatory objectives policy-
makers can encompass a wide variety of businesses and organisational styles and
systems without having to produce thousands of specific rules.49 Moreover, the
employment of ‘gate-keepers’ within the business means that the process of monitor-

44
Ibid..
45
Jonathan Davidson, Culture and Conduct – Extending the Accountability Regime, speech by the
FCA Director of Supervision, (20th September 2017), <https://www.fca.org.uk/news/speeches/culture-
conduct-extending-accountability-regime>, (accessed 20 August 2018).
46
FCA, Conduct of Business Sourcebook 10A.2.3.
47
Cary Coglianese and David Lazar, Management-Based Regulation: Prescribing Private
Management to Achieve Public Goals 37 Law and Society Review, 691-730, 713, (2003).
48
Ian Ayres and John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate
in Martin Lodge, Edward Page and Steven Balla (eds), The Oxford Handbook of Classics in Public
Policy and Administration, 564 (Oxford, OUP, 2015).
49
Coglianese and Lazer, at 705, supra n47.
978 Alan Brener

ing and reporting compliance is always ‘on’ and is not wholly reliant periodic regula-
tory inspection visits. Trust is conditional and regulated firms and individuals may
be subject to substantial regulatory sanction if significant failures are found.
There are, nevertheless, also difficulties in establishing a concurrence between the
management objectives of the regulated firm and those of the regulator.50 This level
of objective and methodological coordination needs to permeate through all the organ-
isational levels within a business.51
This system is likely to result in process-based regulation.52 There is a tendency
for regulators to focus on process rather than outcomes. This is largely because the
regulations are often set out in operational terms and it is easier, generally, to assess
process compliance. Measuring outcomes is more difficult and the results less clear-
cut. This is particularly an issue with areas such as business culture and ethics. Mea-
suring and assessing these important areas pose a challenge to both firms and
regulators.53 It is suggested that this form of regulation lends itself to industries where
the regulator ‘knows the result it is trying to achieve but does not know the means for
achieving it, when circumstances are likely to change in ways that the [regulator]
cannot predict, or when the [regulator] does not even know the precise result that she
desires’.54 The regulatory position may become even more complex where each
regulated firm is required to evaluate itself against vaguely defined regulatory objec-
tives and to devise its own remedial actions to deliver the regulatory goals. This was
evident in the Financial Services Authority’s ‘Treating Customers Fairly’, (TCF)
initiative.55

Measuring Compliance

The Basel Committee paper on compliance suggests that ‘the compliance function
should consider ways to measure compliance risk’.56 Conceptually this appears sound
and there are some useful measures (e.g., customer complaint levels, dealing limit
breaches etc.). However, it is likely that most measures used will be too simplistic
and too high-level and aggregated to be useful and may be mis-leading. There will
be useful data, for example staff opinion surveys which indicate levels of trust and
engagement within organisations, but the information needs to be analysed down to

50
Neil Gunningham and Darren Sinclair, Organizational Trust and the Limits of Management-Based
Regulation 43 Law and Society Review 865-867 (2009).
51
Ibid. (Gunningham and Sinclair), at 872.
52
Sharon Gilad, It Runs in the Family: Meta-Regulation and its Siblings 4 Regulation and
Governance 485-506, 488-491 (2010).
53
OECD, Good Practice Guidance on Internal Controls, Ethics, and Compliance (2010), <https://
www.oecd.org/daf/anti-bribery/44884389.pdf>, (accessed 20 August 2018).
54
Cristie Ford, Innovation and the State: Finance, Regulation, and Justice, 96 (Cambridge, CUP,
2017).
55
(Parker and Gilad), at 179 – 190, supra n6.
56
(BCBS), at 14, supra n8.
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 979

the lowest sectorial level possible. This may help, for example, to identify disaffected
teams and distrusted leadership which may present compliance risks.
Presenting aggregated ‘dash-boards’ to risk and audit committees may tend to mask
issues and present too rosy a picture when issues are buried in the depths of the busi-
ness.

Compliance Monitoring, Testing and Reporting

Compliance monitoring and testing is a central compliance function. It needs to be


undertaken with rigour and the results must not be watered-down and should be
reported to both executive and board committees with clear explanations of their
import and with remedial action plans. This information should also be provided to
the regulators.
The remediation programme and its timetable need to be tracked by compliance
and retested and the outcomes reported. Remediation failures need to be treated as
particularly serious with serious consequences for those in charge of the area in ques-
tion.

Compliance Work Programmes and Back-Book Reviews

The BCBS expects businesses to have a risk-based compliance programme which


sets out the compliance unit’s ‘planned activities, such as the implementation and
review of specific policies and procedures, compliance risk assessment, compliance
testing, etc’.57
However, this is not sufficient. The BCBS guidance is very much focused on pro-
cedures and process. This is important but it may ignore latent risks. For example,
there may be risks lurking in the firm’s back-book where regulatory standards and
customer expectations have moved on. Compliance need to undertake a risk-based
programme of back-book reviews against current standards and views in the light of
existing and forecast economic conditions. Remediation as a result may be expensive
but probably less costly compared to the issues coming to light many years hence.

“Up-stream” Risks and the Moral Dilemma

As mentioned earlier, compliance needs to assess ‘up-stream’ risks. The latter can be
viewed as those risks which are perceived but have not yet crystallised. This could
be draft legislation which is still progressing through the legislative process and which
might be subject to amendments as it processes. It could include campaign group or
think-tanks ideas which may influence the political debate. Compliance and other

57
(BCBS), at 13-14, supra n8.
980 Alan Brener

g­ ate-keeper functions need to be aware of these risks and their possible effect on the
business and its customer, suppliers and other stakeholders. It may be an area for
intervention in an attempt to influence the discussions. However, lobbying may be
controversial and pit the firm against other interest groups and result in regulation and
other forms of governmental actions which may be in the interest of the business but
not necessarily in the interest of the public or other stakeholders. This presents gate-
keeper functions with a moral dilemma and tests their professionalism.

Compliance: Organisational Reporting Lines and “Authority”

Traditionally, compliance functions in financial services have reported to either the


chief risk officer or finance director and in a few cases to the general counsel. In part
this reflects different perspectives on the role of compliance. Some may see compli-
ance as part of the firm’s risk management while others may perceive compliance as
an advisory function closer to the role of the in-house legal team. As described earlier,
compliance has a much more complex role covering the provision of advice, monitor-
ing, assessment, reporting and taking on a more operational role.
The Basel Committee has provided guidance on what is necessary to ‘promote the
independence of the compliance function’.58 These are:

• the appropriate seniority of the head of compliance,


• the specialisation of the compliance function,
• a formal organisational status, and
• free, unencumbered access to any member of staff or document’.59

However, this paper suggests that this is not sufficient. It is also important that com-
pliance reports directly to the main board and the appropriate board sub-committees.
The compliance officer should also be a full member of the executive committee
managing the firm. This helps ensure that compliance understands the business strat-
egy and enables it to have its voice heard in determining this. It demonstrates the
importance assigned by the firm to compliance and helps to buttress the authority of
the function.

The Achievement, and the Abuse, of Power by Compliance

As already mentioned it is important that compliance achieves authority within the


regulated firm. This authority is a mixture of personal characteristics and informal
and formal positioning within an organisation. This authority creates attributes of

58
Basel Committee, Implementation of the Compliance Principles: A Survey, 2 (2008), <https://
www.bis.org/publ/bcbs142.pdf>, (accessed 20 August 2018).
59
Ibid., (Basel Committee, 2008), at 2.
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 981

power which will fluctuate depending on the internal dynamics of the business and
its environment. If compliance is perceived as lacking this authority it will be seen
as an advisory function which may be ignored at will.
At the same time there is a strong risk that a powerful compliance department may
be corrupted. The senior compliance staff need to be aware of this risk and to manage
an abuse of ‘excess power’ and control the risk of staff exulting in finding problems
and exaggerating issues. This may also be an issue since an important function of
compliance is for its staff to act as communicators with the business and as an inter-
locutor between the business and the regulators.
It is also possible with the introduction of the SM&CR that the relationship between
the regulators and the compliance function may have become even more adversarial.
The ‘existence and use of enforcement action and personal accountability regimes
have moved the relationship to one in which each side is extremely wary of the other
and subject to conditional trust’.60

SM&CR and the Compliance Officer

There is a continuing and growing risk to being a compliance officer.61 The regulators
has noted that taking action against individuals is ‘not easy. They are evidentially
complex and hard fought’.62 The FCA had been using ‘attestation letters’ to ease the
path of regulatory enforcement.63 However, the FCA and PRA will be able to use the
powerful provisions of the SM&CR going forward. These came into force for banks
in 2016 and are due to be extended to all regulated firms in 2019.

60
Neil Gunningham and Richard Johnstone, Regulating Workplace Safety: Systems and Sanctions,
191 (Oxford, OUP, 1999).
61
Patty Tehrani, Do Compliance Officers Have a Growing Target on Their Backs?, Compliance
and Enforcement, New York University School of Law, (2018) <https://wp.nyu.edu/compliance_
enforcement/2017/09/28/do-compliance-officers-have-a-growing-target-on-their-backs/>, (accessed 7
May 2018). See also FCA, FCA Fines and Prohibits Mr Stephen Bell, Former Director of Network
Financial Group, From Performing Compliance Oversight Function (13 March 2015), <https://
www.fca.org.uk/news/press-releases/fca-fines-and-prohibits-mr-stephen-bell-former-director-network-
financial-group>, (accessed 7 May 2018); FCA action against Anthony Wills Compliance Officer at the
UK operations of Bank of Beirut, The Financial Conduct Authority Imposes £2.1m Fine and Places
Restriction on Bank of Beirut After it Misled the Regulator (5 March 2015), <https://www.fca.org.uk/
news/press-releases/financial-conduct-authority-imposes-£21m-fine-and-places-restriction-bank-beirut>
(accessed 7 May 2018); FCA, action against the Compliance officer at Martin Broker (22 January 2015),
<https://www.fca.org.uk/publication/final-notices/david-caplin.pdf> (accessed 7 May 2018); FCA action
against the Compliance Officer at Keydata Investments (19 May 2016), <https://www.fca.org.uk/news/
press-releases/fca-bans-keydata’s-former-compliance-officer-peter-johnson>, (accessed 7 May 2018).
62
Tracey McDermott, Enforcement and Credible Deterrence in the FCA, speech by the FCA
Director of Enforcement and Financial Crime at Thompson Reuters Compliance and Risk Summit,
London (18 June 2013), <https://www.fca.org.uk/publication/news/enforcement-credible-deterrence-
speech.pdf>.
63
FCA, Use of Attestations, FCA web-site (26 August 2014), <https://www.fca.org.uk/news/news-
stories/fca-use-attestations>, (accessed 7 May 2018).
982 Alan Brener

A full analysis of the SM&CR falls outside the scope of this paper but the effect
is likely to increase the fear of regulatory sanction and may deter individuals from
taking on the role of compliance officer in future. However, there is a view that third
party stakeholders such as shareholders, and customers can provide better sanctions
than more cumbersome and invasive regulatory action. In the case of significant
regulatory breaches this can include ‘stock price declines and social embarrassment
among family and peers’.64

Conclusion

This paper suggests that the traditional role for the compliance functions is insufficient
to meet the increased expectations placed on the role. Limiting its operations to advis-
ing, monitoring and reporting is no-longer enough. Going forward the compliance
office is likely to be a focal point of regulatory attention particularly as the SM&CR
develops.
In order to satisfy these expectations, the compliance officer will need to have suf-
ficient authority in the regulated firm, evidenced by membership of, at least, the
executive committee, and seen as eminently trustworthy by both the regulators and
the regulated firm’s board.
The compliance officer and the compliance team need to be professionals imbued
with, and leading the ethical culture of the business working proactively to meet both
the letter and the spirit of the regulations.

Appendix

Analysis of the backgrounds of senior compliance staff in major UK banks and


building societies

There has been little research on the background of senior bank and building society
compliance staff. This may be important since their background and previous experi-
ence may influence their approach to their compliance role. It may also provide some
insight into how the regulated firm views compliance as a business function.

Methodology

An ad hoc sample of fifty senior compliance staff at UK authorised major banks and
building societies was selected using Linkedin, a comprehensive internet network for
professional staff. Linkedin provides a work CV for each person. There were a very

64
(Parker and Neilsen), at 381, supra n1.
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 983

few senior compliance staff not recorded on this system. These individuals were
separately located and their backgrounds determined from their separate internet
profiles.
The sample of fifty divided into twenty compliance staff at investment banks and
thirty working at retail and commercial banks and building societies. Forty percent
of the sample were female.

Findings

In total a significant majority came, evenly from backgrounds in compliance, banking


line management and from the regulators (approximately twelve each from these three
areas). A much smaller number came from working in consultancy and the law (some
three in each case). The remaining seven came from a variety of backgrounds includ-
ing, risk, business strategy, IT and project management.
The predominance of former regulators, compliance and business-line staff is evi-
dent in both those working in investment banking and those in commercial and retail
banks and building societies. None of the compliance staff in the sample from the
investment banks came from either a legal or consultancy background.
The recruitment of business-line staff who do not have a compliance background
may reflect the fact that compliance tends to be process driven. Further, since many
of the regulatory problems over the years have operational failures at their heart it is
not surprising that there has been a heavily recruitment from business line manage-
ment and other areas with banking operational experience.

You might also like