A Takeaway Toolkit for the Lonely Compliance Officer

There has been profound change since 2002, when Compliance Institute was formed.

The Compliance role itself is now a recognised and respected profession.

The Financial Services industry has well-developed compliance functions and governance structures.

The compliance officer and the compliance function are now long-standing key cornerstones of the Central Bank of Ireland’s regulatory engagement programmes and structures.

The Compliance Institute is the pre-eminent educational, development, membership and representative entity for compliance professionals in financial services/regulated sectors.

• The resourcing of such functions needs to be strong, appropriate and maintained as such, in order to be effective with support for its profile, authority, status and independence.

• New areas of attention in recent years have been in e.g. Data Protection, IT/Cyber, Sanctions, and Who is the Lonely Compliance Officer? Part 2 Author: Seán Wade, Former Compliance Institute President and Honorary Fellow. following COVID-19 we have seen much regulatory attention across potentially conflicting prudential and consumer issues as well as on Operational Resilience which is unlikely to abate.

Some Things Have Not Changed However
(I am sure we would agree?) 

The scope, frequency, detail and complexity of the compliance universe continues to grow at a frighteningly exponential rate.

In such an environment, the mandate for compliance needs to be kept under review to ensure no under-lap and that any overlap is properly managed.

The profile of the function needs to be reflected and respected at the top level.

The status of the functions and compliance specialists can be quite variable across the industry and may conflict with the profile of roles, affecting the authority of the function. Has the authority of the compliance function declined in relation to e.g. Risk, Data Protection due to the extent of regulatory attention there?

In this article

• As promised in Part 1, I thought it might be helpful to identify some lessons that I think we all learnt arising from COVID-19 and opportunities we might try to take on in our ongoing work.

• In closing the LCO era (I promise), I thought I should identify what to me are clear takeaway lessons picked up along the way to help the formerly-but -lonely-no-more, compliance officer.

• And finally, some thoughts on the very practical support that the Compliance Institute can and does provide its members to assist on all of this.

Firstly, some particularly stark lessons from COVID-19.

COVID-19/Omicron –
Some Lessons

Across society in general and our industry sectors, the pandemic has seen significant development in public awareness and understanding of:

• Compliance as a concept and practice; and

• Of the respective requirements and stances of different stakeholders and that stakeholder management relates to more than that of protecting shareholder wealth, for example.

As Compliance Institute members, these Covid-19 lessons have significant relevance for our sectoral world too.

Facts and evidence back in fashion? Dealing with REAL fear – life and death – helps to focus the mind and to relegate financial considerations to where they belong.

Also has helped to identify, call out and deal with conflicts of interest and balancing continually the respective rights/priorities and needs of different stakeholders. Not all stakeholders are created (or stay) equal. Stakeholders’ engagement seen as crucial.

Clear priorities and plans to deliver on problems, potential solutions and required actions.

Plans, actions, results and change in action – of critical importance to identify, implement and account for delivery, delay, failures and change.

Need for clear understanding of scale of problems, solutions, action required and public response – all must be made clear and regularly adapted and continually communicated.

Public trust seen as CRITICAL.

Leadership seen as needing to be decisive, inclusive, caring, open, honest, courageous.

Carrot and stick – persuasion and real, credible and enforced punishment for non-COMPLIANCE.

Conflicts of interest were less in evidence or more faced up to because of the common purpose of defeating the virus with proponents less “brave” in self-promotion of their own causes? Are we quite poor at identifying, challenging and requiring disclosure of CoIs in Ireland? These are key roles of the Compliance Officer.

In summary, much focus on Courage, Integrity, Fairness, Collaboration, Dependability, Confidence and Trust and dealing with conflicts of interest – central to the Compliance agenda.

A 5A Model for The Compliance Officer
Awareness, Authority, Access, Alignment and Accountability

1. Awareness

Training to be provided and received

Rotation and secondment across the business

Access (all areas) to corporate plans, strategy, “deals”, products, inside and other sensitive information

Trusted adviser

Culture Role

Priority access to skills and knowledge development such as:

• IT-(systems development, reports, investigative tools, machine learning)

• Leadership/management

• Communication/influencing etc.

2. Authority

Clear mandate:

• Role/responsibilities formalised in compliance framework reviewed annually/regularly reported

• Agreed and regularly updated compliance universe with great clarity on what is in and what is out – highlighting underlap or overlap with other control functions or Board expectations

• Reporting to Board/board committee/management to continually highlight known unknowns/relevant and related matters not covered by Compliance mandate but of critical importance

Independence:

• Function should not have operational responsibility (outside of running the Compliance function) and should have an appropriate reporting line

• To be reflected in fair budget and resource arrangements and any concerns here must be expressed, highlighted, and addressed by management/Board to CO’s/HoC’s satisfaction

• In many larger institutions it is best practice that the HoC makes an annual declaration to the Board that she/he is satisfied that the Compliance function has the independence to carry out its functions and is not constrained in that regard

Compliance function should be part of the work programme of other control functions – e.g .internal audit and risk (and vice versa) – and also be externally reviewed every few years.

Expectation to speak freely (and of course responsibly) Senior status – including relativities in salary/ remuneration, grade structures and reporting lines internally as well as vis-à-vis market levels.

High senior profile as reflected also in inclusion in communication, engagement, meetings, membership/ attendance at briefings/project and programme groups.

Reflected in positioning of Compliance role by CEO/ senior management with Board, regulators, auditors, other management, external parties etc.

3. Access

To be guaranteed to all Board and committee members Regular scheduled meetings (frequency to be agreed) and also by request but not dependent on an invitation:

• With CEO

• With Board

• With relevant Committee chair

Must be on circulation list as of right – not at its REQUEST - for all board/board committee papers and Executive management team papers (applicable to the Compliance function’s part of its own corporate structure and areas of responsibility).

4. Alignment

• With sibling control functions – risk, internal audit, Data Protection/Cyber/Financial Crime, ESG, authorisations, legal, and compliance colleagues in other group jurisdictions

• Develop (in)formal networks

• Schedule frequent formal meetings with these as required with agendas and action points • Share annual plans and updates

• Share own/other internal/external findings of reviews/investigations/reports

• Share concerns and areas requiring common attention/shared knowledge

• Together ensure alignment with e.g. Legal and HR, especially in relation to SEAR/IAF, F&P, MCC, PRISM issues/developments/responsibility/ regulatory relevance with the business

• Know the business – the products and processes

• Be involved/included in product development processes

• Be involved in customer care/engagement/ change/ communication processes

• Have input to policy, plans, culture and strategy issues

• Know the people and understand their objectives, goals, expectations, fears, pressures

• Understand their drivers and key and real performance metrics and targets – their areas of attention (remuneration, reward and recognition incentives and disincentives)

• Respond to what conflicts of interest these may cause

In the hybrid model face to face meetings help the eye-balling necessary as well as trust building, more openness (i.e. truth, “nowhere to run, nowhere to hide”) and better opportunities to show empathy or challenge (as required).

5. Accountability

• While it is the responsibility for all to be compliant

• Specified individuals are accountable and should be clearly identified as such

• Both across the business in those designated business processes to ensure business is carried out in a compliant manner such as in routine first line business checking, implementation, review;

• As well as in Compliance, providing briefing, training, supporting implementation, monitoring, reporting, remediation, etc.

• SEAR/IAF alignment of roles and responsibilities, agreed priorities, delivery, shared and allocated accountability is CRITICAL

• Responsibility for the management, communication, reporting and control of conflicts of interest must be properly allocated and undertaken and accountability properly understood, acknowledged and reported upon

• Experience shows (while onerous) having an annual director compliance statement process (DCS - even if not a regulatory requirement) can be very beneficial to an organisation.

• This would formally require the organisation to undertake and report upon standard (or specific) review processes carried out and signed off by the accountable owners

•Gives comfort to directors that it is in order to sign a DCS

• Balances accountability and responsibility across the organisation (the three lines of defence) and between board, management and staff

• Would greatly assist a post-SEAR/IAF world

What can Compliance Institute do for you?

In addition to all of the standard offerings so excellently provided by our Compliance Institute the following are also necessary - for starters:

• Mentoring by senior compliance practitioners

• Technical and soft skills -such as leadership, influencing, communication, presenting/writing

• Developing models for better stakeholder management and regulatory engagement

• Learning/sharing best practice matrix management for regulatory structures and compliance operations from large global entities

• Supporting the Compliance Officer to support the firm on integrating Ethics/Culture/Compliance and in engagement and leadership on culture/ethical awareness and change, inculcation and development

•Practical guidance on working independently of, but collaborating closely and effectively with, sibling compliance functions (e.g. prudential, consumer, AML,

• ATF, financial crime, ESG, Data Protection/cyber, sanctions, corruption, authorisations, market abuse and international regulatory engagement models) to enable boards to understand what is managed (or not) and where

• Supporting the Compliance Officer’s all areas access to people, power and information

• Helping to develop the skills to understand and challenge the business

Your institute needs you. Help it to help you.

What are you waiting for?

Get involved, today.