Richard Crannis MCSI, independent regulatory consultant, and Compliance Forum Committee member, provides a useful checklist for compliance officers to enable them to maintain a robust compliance function
View the Compliance Forum event on CISITV and earn 75 minutes' total CPD if you answer the questions correctly
The ongoing tsunami of regulatory change places pressure on compliance to not only assist firms to maintain compliance with existing rules and legislation, but also to scan horizons to help firms interpret and implement such change.
The introduction of the Senior Managers and Certification Regime (SMCR) has created additional expectations, particularly regarding the requirement to demonstrate reasonable steps. It is therefore essential that every compliance officer is equipped with the right tools and methodology to function effectively, which in turn helps an SMF role holder to demonstrate reasonable steps.
There are some fundamental steps that every compliance officer can take to create a compliance function which is able to operate effectively and provide a strong basis on which to perform its second line of defence activities:
- Make sure you understand your firm’s business model, its products, services and client types.
- Maintain an up-to-date regulatory footprint, summarising the relevant legislation, PRA & FCA rules, which will be driven primarily by the business model and its operating environment.
- Ensure you maintain policies and procedures which capture all your regulatory obligations and are embedded across your firm. Keep them up to date by a robust version control process and clarify who owns each policy and ultimately who is responsible for signing off/approving each policy.
- Undertake a regular compliance risk assessment (CRA). This should be performed at least annually but may require ad hoc changes due to regulatory changes. The CRA should link back to a firm’s business model, regulatory footprint and associated policies and procedures.
- Ensure you have in place a robust and measurable compliance monitoring programme (CMP). The CMP will be an iterative programme, but again must link back to your business model, regulatory footprint and associated policies and procedures. Without this clarity it may prove difficult to demonstrate the rationale behind the CMP and that it is fit for purpose.
- One of the biggest challenges facing compliance departments is maintaining the right balance of skills within a team. As above, until you can fully articulate your compliance arrangements, it will be difficult to know what type and quantity of resource is needed. Compliance officers should continually assess and monitor the effectiveness of their department and factor in succession planning and meaningful performance management.
- As mentioned above, regulatory change forms an important part of a compliance officer’s remit. While compliance typically is tasked with identifying and assessing the impact of regulatory change on a firm, they are not usually the ones implementing the required changes (mostly they shouldn’t be). Aside from having a robust process to identify regulatory change, compliance also needs to achieve clarity on what its role is in doing so, but also how such change will be implemented. Lack of clarity could lead to important regulatory changes going unnoticed or being poorly implemented.
- One important aspect of a compliance officer’s role is producing regular reports, management information (MI) and dashboards, which provide summaries of the key regulatory risks and trends. Without the provision of regular and accurate compliance reporting, it will be difficult for compliance and senior management to fully understand the regulatory risks and what actions will be needed to mitigate them. As alluded to above, each stage of the process referred to points compliance in the direction of producing MI which is relevant to the business model and regulatory environment in which the firm operates. Compliance officers should therefore regularly assess and adapt compliance MI reporting to ensure it is fit for purpose and covers the key areas relevant to the firm.
In summary, the role of compliance is critical in assisting firms identify, assess, monitor and mitigate regulatory risks. Compliance officers must therefore maintain their own systems and controls to assist them in performing their duties.
One final word of caution: compliance is regularly asked to give its input and opinion on a range of matters – we have all too often heard “what does compliance think?” However, it is important to recognise that compliance doesn’t always have the answer, and it’s not feasible to be involved in all matters. An effective compliance department will therefore spend time with senior management and the firm clarifying its role and how it interacts with and oversees the business.
Views expressed in this update are those of the author alone and do not necessarily represent the views of the CISI.