Brener 2020 Reality Vs Regul Concept Compliance Function As Gatekeeper
Brener 2020 Reality Vs Regul Concept Compliance Function As Gatekeeper
Brener 2020 Reality Vs Regul Concept Compliance Function As Gatekeeper
Alan Brener*
Abstract
This paper examines aspects of the role of the compliance department and the com-
pliance officer, in the context of a range of control functions, in firms subject to finan-
cial services regulation. The issues and recommendations have global application
beyond the UK.
The traditional expectation is that the compliance operation advises senior man-
agement on the various regulations, and monitors and report adherence to regulatory
requirements. However, this paper proposes that the compliance function needs to go
further and venture beyond what some may consider its more conventional roles.
Additionally, this paper questions the extent boards and regulators can place reli-
ance on the compliance functions and the compliance officer. This will depend on a
number of factors including the compliance units’ ‘authority’ within the business,
their professionalism, and their ethical attitudes set within the context of the firm’s
own cultures.
Keywords
Background
It has been a regulatory mantra for many years that good compliance is good business.
It has also been part of ‘the strategy adopted by lawyers and internal ‘compliance
champions’ who seek to persuade business leaders that it is in their own long-term
self-interest to comply’.1 This approach has formed part of a range of measures which
over the decades have tried to encourage firms to act compliantly. These have included
a focus on business and compliance processes and controls, the removal of incentives
scheme which may supported non-compliant behaviours, regulatory sanctions against
*
Teaching Fellow at University College London and Queen Mary University London, UK.
1
Christine Parker and Vibeke Lehmann Neilsen, Deterrence and the Impact of Calculative Thinking
on Business Compliance with Competition and Consumer Regulation 56 The Antitrust Bulletin 377-
426, 384 (Summer 2011).
Brener, Alan. ‘The Role of Compliance as a ‘Gate-Keeper’ Function in Financial Services: Reality vs
Regulatory Conception’. European Business Law Review 30, no. 6 (2019): 965-984.
©2019 Kluwer Law International BV, The Netherlands
966 Alan Brener
the regulated firm, the employment of regulatory principles exhorting the right con-
duct (e.g., ‘to treat customers fairly’), individuals held personally accountable by the
regulators etc. Nevertheless, in the UK, since the late 1980s there has been a growing
focus and reliance on the regulatory ‘gate-keepers’. This paper considers aspects of
the role of one of these functions: the compliance department and its leader: the com-
pliance officer.
The financial services regulatory system in the UK, and in a number of other juris-
dictions, relies upon a number of individuals and bodies operating within regulated
firms to promulgate the requirements of the regulators within these firms, to monitor
their implementation, to report significant issues to the senior executives and board,
and to keep the regulators informed of developments. The regulatory system can only
work successfully if these ‘insiders’ operate consistently with regulatory requirements
and expectations.
These ‘insiders’ include individual board directors operating within a corporate
governance framework and a range of specialist ‘gatekeepers’ including the general
counsel and the ‘control functions’ covering, among others, risk directors, compliance
officers, and senior internal audit managers. The role of boards in banking has been
reviewed.2 It is now subject to greater regulatory focus under the Senior Management
and Certified Persons Regime (SM&CR).3 There is also a growing interest in the work
of the gate-keeper functions.4 There has also been work on the role of ‘in-house’
corporate lawyers and general counsel.5 However, almost no empirical or analytical
work has been undertaken on the role of the control functions.6
More is now expected of the compliance officer and their team and they are ‘subject
to ongoing and significant change, particularly in the UK’.7 The Basel Committee on
Banking Supervision (the Basel Committee or BCBS) has produced a summary of
2
David Walker, A Review of Corporate Governance in UK Banks and Other Financial Industry
Entities: Final Recommendations, (November 2009), <http://webarchive.nationalarchives.gov.uk/+/
www.hm-treasury.gov.uk/d/walker_review_261109.pdf>, (accessed 9 May 2018).
3
Financial Conduct Authority (FCA) website, Senior Managers and Certification Regime: Banking,
https://www.fca.org.uk/firms/senior-managers-certification-regime/banking, (accessed 31 January
2018).
4
Iris Chiu, Regulating (From) the Inside: the Legal Framework for Internal Control in Banks and
Financial Institutions (London, Bloomsbury, 2015).
5
Richard Moorhead, Precarious Professionalism: Some Empirical and Behavioural Perspectives
on Lawyers 67 Current Legal Problems 447-481 (2014).
6
In 2006/7 Sharon Gilad undertook some empirical work on the role of compliance officers
in financial services firms. See Christine Parker and Sharon Gilad, Internal Corporate Compliance
Management Systems: Structure, Culture and Agency in Christine Parker and Vibeke Lehmann Nielsen
(eds), Explaining Compliance: Business Responses to Regulation (Cheltenham, Edward Elgar, 2011).
7
Deloitte website, The Changing Role of Compliance, <https://www2.deloitte.com/content/dam/
Deloitte/global/Documents/Financial-Services/gx-financial-changing-role-compliance.pdf>, (accessed
17 August 2018).
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 967
compliance areas of responsibility.8 The over-arching aim is for the compliance func-
tion to ‘assist senior management in managing effectively the compliance risks faced
by the bank’ including ‘monitoring compliance with the policies and procedures and
reporting to management’.9 ‘The compliance function should advise senior manage-
ment on compliance laws, rules and standards… establishing written guidance to staff
on the appropriate implementation of compliance laws, rules and standards through
policies and procedures and other documents such as compliance manuals, internal
codes of conduct and practice guidelines’.10
However, this paper proposes that the compliance function needs to go further and
venture beyond what some may consider its more conventional roles. This may
include:
Additionally, this paper questions the extent to which reliance can be placed by both
the boards of regulated firms and the regulators on the compliance functions and, in
particular, the senior staff responsible for these areas. The results will depend on a
number of factors including the role of these individuals, how they and others perceive
this role, their ‘authority’ within the business, their professionalism, individual expe-
rience and training and their ethical attitudes set within the context of the firm’s own
cultures.
The origins of compliance departments in financial services firms can be traced back
to the rule-books of the first self-regulatory organisations established in the early
1990s under aegis the Financial Services Act 1986.11 Much of the current Conduct of
Business regulatory rule-book has adopted the rules set-out in the early 1990s by the
Life Assurance and Unit Trust Regulatory Organisation (Lautro) governing invest-
ment business marketing and distribution. The guidance produced for compliance
departments at that time remains relevant.12
8
Basel Committee on Banking Supervision, Compliance and the Compliance Function in Banks,
Principle 7, 13-14, (2005), <https://www.bis.org/publ/bcbs113.pdf>.
9
Ibid, at 13.
10
Ibid, at 7.
11
For example, Kit Jebens, Lautro: a Pioneer Regulator 1986-1994 (private printing, in author’s
collection 1997), 68.
12
Alan Brener, The Golden Threads of Compliance 3 Journal of Financial Regulation and
Compliance 344-349 (1995).
968 Alan Brener
More recently the Basel Committee on Banking Supervision has set out the basis
for the Compliance function. It should have a ‘formal status within the bank to give
it the appropriate standing, authority and independence. This may be set out in the
bank’s compliance policy or in any other formal document. The document should be
communicated to all staff throughout the bank’.13 The Committee states that this
policy document should set out the compliance department’s roles and responsibilities
and:
13
Basel Committee, Compliance and the Compliance Function in Banks, 11, see n8 supra.
14
Basel Committee (2005), 11, supra n 8.
15
FCA Supervisory Handbook (SUP) 10C.4.3R.
16
FCA Handbook SYSC 6.1.3R.
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 969
information; a compliance officer must be appointed and must be responsible for the
compliance function.17 There are also various requirements designed to prevent pos-
sible conflicts of objectives in this area including ensuring that the remuneration of
the compliance officer does not compromise their objectivity and must not be likely
to do so.18
A key role of the compliance function can be summarised as the preparation and
promulgation of compliance policies, the provision of advice on compliance matters,
the checking and assessment of new products and procedures and monitoring and
reporting to the firm’s management how these policies are applied.19 This requires
the existence of a permanent and effective compliance function headed by the com-
pliance officer.20
The EBA Guidance merely notes that the findings of the compliance function
should be taken into account by the management body and the risk control function
within the decision-making process.21 Moreover, the compliance function also needs
to be forward looking and to advise the firm’s management ‘on laws, rules, regula-
tions and standards the institution needs to meet and assess the possible impact of any
changes in the legal or regulatory environment on the institution’s activities’.22 How-
ever, these requirements are only a bare minimum and on their own fail to set out the
much fuller role necessary for a fully effective compliance function.
Compliance operations are central to a company being compliant. Compliant sys-
tems are necessary but not sufficient. It is ‘compliance management … combin[ing[
management, resources, values, and formal compliance management systems’, which
makes a difference.23 However, there may be danger in confusing cause and effect
and it may be that it is an indicator of a compliant business that it has good compli-
ance management.
It is impossible for the regulator to be present in a firm at all times; nor should it be
necessary for the regulator to always be on-site. It is a central concept of regulation
17
SYSC 6.1.4R.
18
SYSC 6.1.4 (3) and (4).
19
European Banking Authority, Guidelines on Internal Governance (GL 44), 11, and 43, (2011),
<https://www.eba.europa.eu/documents/10180/103861/EBA-BS-2011-116-final-EBA-Guidelines-on-
Internal-Governance-%282%29_1.pdf>, (accessed 20 August 2018).
20
Ibid. (EBA Guidelines), at 43.
21
Ibid. (EBA Guidelines), at 43.
22
Ibid. (EBA Guidelines), at 43.
23
Christine Parker and Vibeke Lehmann Nielsen, Corporate Compliance Systems: Could They Make
Any Difference? 41 Administration and Society 3-37, 28 (2009).
970 Alan Brener
that the firm and its management should take ownership for their good compliance
with the regulations. To ensure this one of the key functions of the compliance func-
tion is to stand in for the regulator and to provide assurance to senior management
and the board and to the regulators and other stakeholders that compliance risks are
being properly managed. There is also a danger that there is a possible mis-match
between regulatory expectations and what is doable by compliance. Moreover, the
role of compliance has gained in breadth over the years and there is a risk compliance
tries to cover all aspects of the business. This is likely to destroy the focus of the
function. It is, moreover, difficult to determine the nature of the relationship between
regulatory supervisory teams and compliance functions. It should be based on trust.
This relationship is crucial for all stakeholders and should be a matter for both busi-
ness board and executive close interest and possible intervention since it may have a
direct effect on the success the of business itself.
The compliance department needs to be ever present in the regulated firm with a
deep understanding of the business and its drivers. However, there is a natural ten-
dency for any risk management sector to try to limit its areas of responsibility and to
set boundaries to both its scope and powers. The aim would be to try and avoid blame
if, and when, an issue arises in an area beyond the set boundary. This is particularly
an issue with aspects of anti-money laundering where success depends on access to
sufficient IT resources. Further, the compliance function has also suffered from the
fact that the finance department has both undertaken the operational aspects of pru-
dential compliance and ensured its own compliance. Dialogue with the regulator is
held directly with the finance division with little role for compliance.24
Additionally, compliance in UK has no professional body nor recognised training
programme. Other gate-keeper functions all have their professional bodies. Attempts
have been made in the UK to remedy this position. These have all failed for a variety
of reasons including lack of regulatory support, no conceptual underpinning to the
role and purpose of the function and a commensurate lack of authority in many organ-
isations. This is an aspect that the regulators should seek to address.
In contrast to the US, senior compliance staff in the UK banking sector tend to be
recruited from regulators, other compliance departments and line business areas. Very
few have legal backgrounds. This may reflect the needs of the business to have peo-
ple who understand how the regulators think and who have a sound knowledge of
business processes. A fuller analysis is provided in the appendix to this paper.
The role of compliance within a regulated firm is often seen in the context of compli-
ance risk management. So, for example, the European Banking Authority expects
24
KPMG, The Future of Compliance, 27 (2012), <https://www.int-comp.org/media/1048/kpmg-
future-of-compliance_web_acc4.pdf>, (accessed 20 August 2018).
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 971
regulated firms to set a ‘risk tolerance’ or ‘appetite’.25 These terms are described as
being interchangeable ‘to describe both the absolute risks an institution is a priori
open to take (which some call risk appetite) and the actual limits within its risk appe-
tite that an institutions pursues (which some call risk tolerance)’.26 The role of the
compliance function is to manage compliance risk which is defined as ‘the current or
prospective risk to earnings and capital arising from violations or non-compliance
with laws, rules, regulations, agreements, prescribed practices or ethical standards)
[which] can lead to fines, damages and/or the voiding of contracts and can diminish
an institution’s reputation’.27
The compliance function can be said to have two duties: a contractual duty to their
employer to identify, to manage and to report compliance risks and a more nebulous
responsibility to the public good to prevent these risks becoming manifestly signifi-
cantly harmful. They may be said to have taken on the ‘insider’ role of guardians of
the public interest. However, fulfilling these roles is contingent on determining what
is compliance risk.
‘Compliance risk’ identification requires both ‘risk assessment and risk management’
which need to be ‘aligned to corporate goals” and the setting of “compliance objec-
tives [and] systematic procedures for risk identification and reporting’ with a special
focus on emerging risks.28 The approach by the compliance function needs to equate
to the organisation’s ‘risk appetite’, again, as mentioned, a term borrowed from risk
methodology.29 In risk terms this means having in place adequate systems of internal
control which help identify, mitigate and report compliance risks.
The approach taken by compliance departments in assessing risk may appear to be
very objective; reinforced by the use of complex statistics. In outline it usually
involves the preparation of extensive lists of possible issues covering every aspect of
a business and assigning an ‘inherent’ risk score to these problems occurring followed
by risk mitigation controls and an assessment of the effectiveness of these controls
leaving a ‘residual’ or uncovered risk which may require further mitigation depending
on the institutions ‘risk appetite’. The result may be a vast database which can be
manipulated and used to produce compliance risk “heat maps” employed to identify
areas for increased monitoring and surveillance. Statistical analysis may be employed
to assess these risks using a form of cost/benefit analysis. These techniques may
25
EBA Guidelines, at 8, supra n19.
26
EBA Guidelines, at 11, supra n19.
27
EBA Guidelines, at 43, supra n19.
28
KPMG, Clarity on Compliance: the Future of Compliance, 10 (2016), <https://assets.kpmg.com/
content/dam/kpmg/pdf/2016/06/ch-clarity-on-compliance-en.pdf>, (accessed 20 August 2018).
29
Ibid. (KPMG), at 48.
972 Alan Brener
The scope of regulation affecting banking has grown and evolved over the last thirty
years to cover many more areas of the business with further demands for additional
compliance staff.34 Consequently, the role and function of a compliance department
in UK has expanded and become of existential importance to the business and within
society.
Acting as an interlocutor between the regulators and the firm is central to the role
of the compliance function. There is considerable scope for a misunderstanding
between the two. Often the language used by regulators means little to those working
30
Government Office For Science, Blackett Review of High Impact Low Probability Risks, 17-18
(2011), <https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/278526/12-519-
blackett-review-high-impact-low-probability-risks.pdf>, (accessed 20 August 2018).
31
Julia Black, The Emergence of Risk-Based Regulation and the New Public Risk Management in
the UK, Public Law 512, 521, (2005).
32
Christine Parker, The ‘Compliance’ Trap: the Moral Message in Responsive Regulatory
Enforcement 40 Law and Society Review 591- 622, 602 (September 2006).
33
Julia Black and Robert Baldwin, When Risk-Based Regulation Aims Low: A Strange Framework
6 Regulation and Governance 131-148, 146 (2012).
34
City AM, Why those with a head for compliance and regulation are in hot demand, as skills
shortages cause salaries to rise, (29 March 2016), <http://www.cityam.com/237667/why-those-with-a-
head-for-compliance-and-regulation-are-in-hot-demand-as-skills-shortages-cause-salaries-to-rise>.
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 973
within the business. The rules and guidance are frequently drafted in generic and open
textured styles while internal communications of instructions within a business are
usually terse and to the precise point often incorporated into sets of operational
instructions. Similarly, the actions of the business need to be communicated back to
the regulators in terms that the latter will understand.
Consequently, the compliance staff need to ‘operationalise’ regulatory rules and
guidance for use within the firm in terms that will resonate with staff that need to
apply them in their day-to-day work.35
In summary, the compliance unit has five key functions:
• identifying the risks that a firm faces and advise on them (identification)
• designing and implement controls to protect a firm from those risks (prevention)
• monitoring and report on the effectiveness of those controls in the management
of an organisation’s exposure to risks (monitoring and detection)
• resolving compliance difficulties as they occur (resolution)
• advising the business on rules and controls (advisory).36
Compliance in Operation
The compliance function faces a number of significant issues in carrying out its
increasingly wide-ranging roles. The first is knowing the business. The compliance
operation can be said to stand in place of the regulator within the business and con-
sequently, the latter would expect the compliance function to understand the business
in considerable depth. In a complex business spread over many locations and jurisdic-
tions this may be very difficult.
Second, compliance needs to understand the requirements of the regulations and
regulators. This means appreciating all the sources of regulation (eg primary and
secondary legislation, regulatory rules and ‘guidance’ and the importance of regula-
tory reports and speeches). Closely, linked to this is the third important task of devel-
oping a high level of trust with the regulators. The broadly drawn regulations and
highly discretionary element in UK regulation mean that all firms are always in breach
of one or more rules and consequently, the importance of establishing and maintain-
ing relationships of trust with the regulators is crucial to the success of the compliance
function and, hence, the regulated business. This requires that compliance is under-
taken proactively, including embedding the compliance function within the business
strategy and product and process development systems.
Part of this approach requires a considerable knowledge of what is going on within
the business. This could include adopting a technique developed by the Prussian
general staff in the mid-19th century of the ‘directed telescope’ to control army and
35
International Compliance Association (ICA) web-site, <https://www.int-comp.org/careers/a-
career-in-compliance/what-is-compliance/>, (accessed 23 January 2018).
36
Ibid., (ICA web-site).
974 Alan Brener
corp units in the war with Austria in 1866. Essentially, this means having compliance
staff reporting to the centre based in each of the significant businesses and operational
areas. However, this may be at odds with the discredited ‘three lines of defence’ model
currently adopted by many large regulated firms. This issue is considered later in this
paper. There are further important sources of information including customer com-
plaints and ‘whistleblowers’ who often have information based on their own knowl-
edge and observations.
Understanding the compliance risks faced by the business includes analysing both
‘upstream risk’ (i.e., potential risk which have still to come into focus such as draft
legislation) and ‘downstream risk’ where the issues are clear (e.g., legislation which
has been enacted but not yet implemented). Compliance will need to have a unit
monitoring and assessing these risks to determine the need to make representations
to, for example, legislators and to prepare the business in time for changes required
to address these risks.
The compliance unit will also need to be deeply embedded in business strategy
development including the formal sign-off processes (e.g., for business strategies,
acquisitions, significant business restructuring, product development and marketing
etc). It is important, as will be discussed later, that compliance has sufficient author-
ity in the business to be able to say ‘no’ and to halt a project.
The compliance unit will also be responsible for monitoring aspects of the busi-
ness, testing and reporting and follow up. The areas selected for checking will depend
on how compliance risk is assessed. This element is considered later. Compliance
must be tenacious. It must never let go until it is completely convinced that the prob-
lem issues have been adequately resolved and that this has been evidenced. This
requires both drive and a sense of urgency. Regulatory enforcement has demonstrated
weaknesses in these areas.37
The compliance unit, and especially the compliance officer, need to have a very close
relation, based on mutual trust with the chairman of the main board and the board
audit and risk committee or its equivalent. There is a strong argument for the compli-
ance officer to be a member of the business executive committee and for the chief
risk officer to be on the main statutory board. All these aspects have grown in impor-
tance with the implementation of the SM&CR which affixes personal responsibility
and liability on many board members and other key individuals in the firm including
the compliance officer.
37
FCA, UBS AG, Final Notice re Kweku Adoboli (25 November 2012), <https://www.fca.org.uk/
publication/final-notices/ubs-ag.pdf>, and FCA, JPMorgan Chase Bank, Final Notice re Bruno Iksil
(‘London Whale’) (18 September 2013), <https://www.fca.org.uk/publication/final-notices/jpmorgan-
chase-bank.pdf>, (both accessed 20 August 2018).
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 975
It is equally important that there is a bond of trust between the compliance officer,
and their team, and the supervisory sections within the regulator. The latter must be
confident that the compliance unit will notify it of any significant issues very promptly
and will be open in its disclosure of information. Any failure to report material issues
very swiftly will always make the issues worse and undermine regulatory confidence.
A trustworthy compliance function is more likely to be trusted by the regulator to
carry out a thorough ‘root-cause’ analysis and quickly to provide an unvarnished
report on the issues and their resolution unvarnished. This may spare the business
further regulatory intervention and enforcement action. Finally, there needs to be a
close relationship between the compliance function and the other control functions
(e.g., internal audit and risk). This should also include the general counsel and legal
department.
It is evident, in the past, that in some companies that compliance staff have not been
properly selected and trained and there has been little professional development.
There is a risk that they may lack the necessary strength of character nor have the
ability and skills for such an important role. In addition, compliance functions face
an ever growing remit and possible overload. Since everything a business does is
subject to regulation there is a considerable danger of compliance being too thinly
spread and in trying to defend everything fails to protect anything.
There are further risks that elements of the compliance function may be out-
sourced and some firms become too dependent on the use of external consultants. All
these factors pose significant risks for the business. The regulator will be aware of
these potential issues and may judge the senior management of the firm accordingly.
There is a perception by the regulators, and this is reinforced in the regulations, that
businesses are structured in the form of strict hierarchies. However, in practice firms
are much more fluid operating through informal networks which frequently change
with responsibilities often moving depending on the task or issue in-hand. This poses
issues for both regulators and firms since these undocumented arrangements are often
not understood or appreciated by the regulated business itself nor by the regulator.
Second, issues with corporate structures are compounded by a management theory,
supported by the regulators, known as the ‘three lines of defence’ which has been
widely adopted and is still prevalent in the financial services industry. In essence it
divides the roles of ensuring control of risks and compliance into three with the front-
line business functions taking primary responsibility for risk management and regu-
latory compliance with a second line of control functions, such as the compliance
department, checking and reporting on the effectiveness of the first line backed up by
976 Alan Brener
the firm’s internal audit function providing a third and final line of defence. The
theory sounds conceptually attractive but it is difficult to operate successfully and has
been described as providing ‘a wholly misplaced sense of security … responsibilities
have been blurred, accountability diluted, and officers in risk, compliance and internal
audit have lacked the status to challenge front-line staff effectively. Much of the sys-
tem became a box-ticking exercise whereby processes were followed, but judgement
was absent’.38
A recent regulatory review found that ‘understanding of the role and purpose of
the compliance function was sometimes not clear’ within the business ‘or had become
blurred by the addition of control functions to the” first line of defence’.39 The ‘three
lines of defence’ model may have also promoted the use of an ‘accountability firewall’
‘to prevent those in senior positions having a strong sense of personal engagement
with and responsibility for failings and misconduct within their line of management’.40
A Compliant Culture
38
Report of the Parliamentary Commission on Banking Standards, Changing Banking for Good, Vol.
I: Summary, and Conclusions and Recommendations, HL Paper 27-I HC 175-I, 141 (2013), <https://
www.parliament.uk/documents/banking-commission/Banking-final-report-volume-i.pdf>, (accessed 20
August 2018).
39
FCA, The Compliance Function in Wholesale Banks, para. 22.3 (November 2017), <https://www.
fca.org.uk/publication/research/the-compliance-function-in-wholesale-banks.pdf>, (accessed 20 August
2018).
40
Ibid., (PCBS report), at 283.
41
(Parker and Gilad), at 175, supra n6.
42
(Parker and Gilad), at 176, supra n6.
43
Ibid..
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 977
c ompliance system and other aspects of social structure, and through which they
conceive of possible responses.44
Without the right business culture all regulations are likely to be futile. The FCA
are conscious of this issue. ‘Financial services is still about the money and about fear
– including fear of the regulator. I talked recently to a senior executive who told me
that fear had driven them to make radical and rapid change for the better. However,
she told me that it was a very effective source of motivation but it wasn’t personally
sustainable for the long term. So, fear can’t be the only source of motivation’.45 It is
often summarised in the trope that ‘culture eats process’ and it is to process that this
paper next turns.
Much of the regulation governing the UK financial services industry is process ori-
entated. The regulation set an objective (e.g., the firm must ‘determine whether the
customer has the necessary experience and knowledge to understand the risks related
to a particular product’).46 However, the regulators will leave it to the firm to devise
the appropriate process to achieve this end. This will include how the process is
monitored and the results reported.
This has been described as the government taking on the role of a ‘meta-manager’,
as it seeks ‘to guide and motivate firms to order their own economic activity in a way
that is more aligned with social interests’.47 Others have described it as ‘enforced
self-regulation’.48 It requires cooperation on the behalf of the regulated firm with the
regulator in a spirit of trust and responsibility. The regulators will monitor and enforce
compliance both to ensure protection of the public interest and also to protect and
encourage those firms that have acted responsibly in meeting the regulatory objec-
tives. The compliance function has a central role in fulfilling these objectives. That
the business management are trustworthy is central to this concept.
Meta-regulation has many advantages since by setting regulatory objectives policy-
makers can encompass a wide variety of businesses and organisational styles and
systems without having to produce thousands of specific rules.49 Moreover, the
employment of ‘gate-keepers’ within the business means that the process of monitor-
44
Ibid..
45
Jonathan Davidson, Culture and Conduct – Extending the Accountability Regime, speech by the
FCA Director of Supervision, (20th September 2017), <https://www.fca.org.uk/news/speeches/culture-
conduct-extending-accountability-regime>, (accessed 20 August 2018).
46
FCA, Conduct of Business Sourcebook 10A.2.3.
47
Cary Coglianese and David Lazar, Management-Based Regulation: Prescribing Private
Management to Achieve Public Goals 37 Law and Society Review, 691-730, 713, (2003).
48
Ian Ayres and John Braithwaite, Responsive Regulation: Transcending the Deregulation Debate
in Martin Lodge, Edward Page and Steven Balla (eds), The Oxford Handbook of Classics in Public
Policy and Administration, 564 (Oxford, OUP, 2015).
49
Coglianese and Lazer, at 705, supra n47.
978 Alan Brener
ing and reporting compliance is always ‘on’ and is not wholly reliant periodic regula-
tory inspection visits. Trust is conditional and regulated firms and individuals may
be subject to substantial regulatory sanction if significant failures are found.
There are, nevertheless, also difficulties in establishing a concurrence between the
management objectives of the regulated firm and those of the regulator.50 This level
of objective and methodological coordination needs to permeate through all the organ-
isational levels within a business.51
This system is likely to result in process-based regulation.52 There is a tendency
for regulators to focus on process rather than outcomes. This is largely because the
regulations are often set out in operational terms and it is easier, generally, to assess
process compliance. Measuring outcomes is more difficult and the results less clear-
cut. This is particularly an issue with areas such as business culture and ethics. Mea-
suring and assessing these important areas pose a challenge to both firms and
regulators.53 It is suggested that this form of regulation lends itself to industries where
the regulator ‘knows the result it is trying to achieve but does not know the means for
achieving it, when circumstances are likely to change in ways that the [regulator]
cannot predict, or when the [regulator] does not even know the precise result that she
desires’.54 The regulatory position may become even more complex where each
regulated firm is required to evaluate itself against vaguely defined regulatory objec-
tives and to devise its own remedial actions to deliver the regulatory goals. This was
evident in the Financial Services Authority’s ‘Treating Customers Fairly’, (TCF)
initiative.55
Measuring Compliance
The Basel Committee paper on compliance suggests that ‘the compliance function
should consider ways to measure compliance risk’.56 Conceptually this appears sound
and there are some useful measures (e.g., customer complaint levels, dealing limit
breaches etc.). However, it is likely that most measures used will be too simplistic
and too high-level and aggregated to be useful and may be mis-leading. There will
be useful data, for example staff opinion surveys which indicate levels of trust and
engagement within organisations, but the information needs to be analysed down to
50
Neil Gunningham and Darren Sinclair, Organizational Trust and the Limits of Management-Based
Regulation 43 Law and Society Review 865-867 (2009).
51
Ibid. (Gunningham and Sinclair), at 872.
52
Sharon Gilad, It Runs in the Family: Meta-Regulation and its Siblings 4 Regulation and
Governance 485-506, 488-491 (2010).
53
OECD, Good Practice Guidance on Internal Controls, Ethics, and Compliance (2010), <https://
www.oecd.org/daf/anti-bribery/44884389.pdf>, (accessed 20 August 2018).
54
Cristie Ford, Innovation and the State: Finance, Regulation, and Justice, 96 (Cambridge, CUP,
2017).
55
(Parker and Gilad), at 179 – 190, supra n6.
56
(BCBS), at 14, supra n8.
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 979
the lowest sectorial level possible. This may help, for example, to identify disaffected
teams and distrusted leadership which may present compliance risks.
Presenting aggregated ‘dash-boards’ to risk and audit committees may tend to mask
issues and present too rosy a picture when issues are buried in the depths of the busi-
ness.
As mentioned earlier, compliance needs to assess ‘up-stream’ risks. The latter can be
viewed as those risks which are perceived but have not yet crystallised. This could
be draft legislation which is still progressing through the legislative process and which
might be subject to amendments as it processes. It could include campaign group or
think-tanks ideas which may influence the political debate. Compliance and other
57
(BCBS), at 13-14, supra n8.
980 Alan Brener
g ate-keeper functions need to be aware of these risks and their possible effect on the
business and its customer, suppliers and other stakeholders. It may be an area for
intervention in an attempt to influence the discussions. However, lobbying may be
controversial and pit the firm against other interest groups and result in regulation and
other forms of governmental actions which may be in the interest of the business but
not necessarily in the interest of the public or other stakeholders. This presents gate-
keeper functions with a moral dilemma and tests their professionalism.
However, this paper suggests that this is not sufficient. It is also important that com-
pliance reports directly to the main board and the appropriate board sub-committees.
The compliance officer should also be a full member of the executive committee
managing the firm. This helps ensure that compliance understands the business strat-
egy and enables it to have its voice heard in determining this. It demonstrates the
importance assigned by the firm to compliance and helps to buttress the authority of
the function.
58
Basel Committee, Implementation of the Compliance Principles: A Survey, 2 (2008), <https://
www.bis.org/publ/bcbs142.pdf>, (accessed 20 August 2018).
59
Ibid., (Basel Committee, 2008), at 2.
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 981
power which will fluctuate depending on the internal dynamics of the business and
its environment. If compliance is perceived as lacking this authority it will be seen
as an advisory function which may be ignored at will.
At the same time there is a strong risk that a powerful compliance department may
be corrupted. The senior compliance staff need to be aware of this risk and to manage
an abuse of ‘excess power’ and control the risk of staff exulting in finding problems
and exaggerating issues. This may also be an issue since an important function of
compliance is for its staff to act as communicators with the business and as an inter-
locutor between the business and the regulators.
It is also possible with the introduction of the SM&CR that the relationship between
the regulators and the compliance function may have become even more adversarial.
The ‘existence and use of enforcement action and personal accountability regimes
have moved the relationship to one in which each side is extremely wary of the other
and subject to conditional trust’.60
There is a continuing and growing risk to being a compliance officer.61 The regulators
has noted that taking action against individuals is ‘not easy. They are evidentially
complex and hard fought’.62 The FCA had been using ‘attestation letters’ to ease the
path of regulatory enforcement.63 However, the FCA and PRA will be able to use the
powerful provisions of the SM&CR going forward. These came into force for banks
in 2016 and are due to be extended to all regulated firms in 2019.
60
Neil Gunningham and Richard Johnstone, Regulating Workplace Safety: Systems and Sanctions,
191 (Oxford, OUP, 1999).
61
Patty Tehrani, Do Compliance Officers Have a Growing Target on Their Backs?, Compliance
and Enforcement, New York University School of Law, (2018) <https://wp.nyu.edu/compliance_
enforcement/2017/09/28/do-compliance-officers-have-a-growing-target-on-their-backs/>, (accessed 7
May 2018). See also FCA, FCA Fines and Prohibits Mr Stephen Bell, Former Director of Network
Financial Group, From Performing Compliance Oversight Function (13 March 2015), <https://
www.fca.org.uk/news/press-releases/fca-fines-and-prohibits-mr-stephen-bell-former-director-network-
financial-group>, (accessed 7 May 2018); FCA action against Anthony Wills Compliance Officer at the
UK operations of Bank of Beirut, The Financial Conduct Authority Imposes £2.1m Fine and Places
Restriction on Bank of Beirut After it Misled the Regulator (5 March 2015), <https://www.fca.org.uk/
news/press-releases/financial-conduct-authority-imposes-£21m-fine-and-places-restriction-bank-beirut>
(accessed 7 May 2018); FCA, action against the Compliance officer at Martin Broker (22 January 2015),
<https://www.fca.org.uk/publication/final-notices/david-caplin.pdf> (accessed 7 May 2018); FCA action
against the Compliance Officer at Keydata Investments (19 May 2016), <https://www.fca.org.uk/news/
press-releases/fca-bans-keydata’s-former-compliance-officer-peter-johnson>, (accessed 7 May 2018).
62
Tracey McDermott, Enforcement and Credible Deterrence in the FCA, speech by the FCA
Director of Enforcement and Financial Crime at Thompson Reuters Compliance and Risk Summit,
London (18 June 2013), <https://www.fca.org.uk/publication/news/enforcement-credible-deterrence-
speech.pdf>.
63
FCA, Use of Attestations, FCA web-site (26 August 2014), <https://www.fca.org.uk/news/news-
stories/fca-use-attestations>, (accessed 7 May 2018).
982 Alan Brener
A full analysis of the SM&CR falls outside the scope of this paper but the effect
is likely to increase the fear of regulatory sanction and may deter individuals from
taking on the role of compliance officer in future. However, there is a view that third
party stakeholders such as shareholders, and customers can provide better sanctions
than more cumbersome and invasive regulatory action. In the case of significant
regulatory breaches this can include ‘stock price declines and social embarrassment
among family and peers’.64
Conclusion
This paper suggests that the traditional role for the compliance functions is insufficient
to meet the increased expectations placed on the role. Limiting its operations to advis-
ing, monitoring and reporting is no-longer enough. Going forward the compliance
office is likely to be a focal point of regulatory attention particularly as the SM&CR
develops.
In order to satisfy these expectations, the compliance officer will need to have suf-
ficient authority in the regulated firm, evidenced by membership of, at least, the
executive committee, and seen as eminently trustworthy by both the regulators and
the regulated firm’s board.
The compliance officer and the compliance team need to be professionals imbued
with, and leading the ethical culture of the business working proactively to meet both
the letter and the spirit of the regulations.
Appendix
There has been little research on the background of senior bank and building society
compliance staff. This may be important since their background and previous experi-
ence may influence their approach to their compliance role. It may also provide some
insight into how the regulated firm views compliance as a business function.
Methodology
An ad hoc sample of fifty senior compliance staff at UK authorised major banks and
building societies was selected using Linkedin, a comprehensive internet network for
professional staff. Linkedin provides a work CV for each person. There were a very
64
(Parker and Neilsen), at 381, supra n1.
The Role of Compliance as a ‘Gate-Keeper’ Function [2019] EBLR 983
few senior compliance staff not recorded on this system. These individuals were
separately located and their backgrounds determined from their separate internet
profiles.
The sample of fifty divided into twenty compliance staff at investment banks and
thirty working at retail and commercial banks and building societies. Forty percent
of the sample were female.
Findings