Monday, September 18, 2006

How Compliance is Different?

How compliance is different from the other three internal control functions in a financial institution, i.e. legal, internal audit and risk management? Today I would like to make some comparisions & contrasts based on my observations.

Compliance v Legal

Compliance officers should of course have certain legal knowledge but not necessarily experience of legal practices. Lawyers are responsible for legal documentation, giving legal opinions on critical issues, and handling legal proceedings. Usually compliance officers are "generalists" and lawyers are "specialists" (that's why they are paid higher).

The mindsets of these 2 kinds of professional are quite different. Lawyers focus more on legal interpretation and reasoning, while compliance officers are more solution-based and people-oriented. Lawyers like to ask "what" questions, while compliance officers like to ask "how" questions.

Compliance v Internet Audit

Compliance officers are not happy to see non-compliance, while internal auditors are happy to find out "something wrong". Therefore, compliance officers can make "friends" with business people, while internal auditors must keep a distance with their (presupposed) "enemies".

Originally internal auditors pay attention only to internal control issues. In recent years, they have begun to put a hand on compliance reviews and therefore creating a conflict of interest with compliance officers.


Compliance v Risk Management

Risk managers are dealing with all sorts of risk factor, at least including market risk, credit risk, liquidity risk, legal risk and operational risk. Compliance has an overlap with risk management in the areas of legal risk and operational risk, which are more qualitatively (rather than quantitatively) measured.

In terms of mindset, compliance officers are also doing their jobs on a risk-based approach (which is also supported by the regulators). Risk managers and compliance officers should work closely to manage operational risk because sometimes control issues that are not highly risky could be considered serious by the regulators.

6 comments:

  1. Anonymous12:35 PM

    While the term “compliance” is not a novel word which should have been in the Oxford or Longman for since their first edition, the concert of Compliance I believe has been misunderstood by a lot of people in the financial industry especially people in the banking industry. You could hardly find a Compliance Department within a bank’s org. chart before 2003 when the SFO kicked in.

    The misconception/ misunderstanding many a time occurred deliberately for the protection of own interest (ie passing responsibilities, passing blames, making own life easier etc). Some real-life misconception incidences are as follows:

    Compliance department is the owner of client agreements and other account documents. [Client agreements and other terms and condition are legal documents governing the relationship between the company and its clients. They are legal documents. Compliance personnel will inform the lawyers sources of regulatory requirements that affecting legal terms e.g. the Code contains specific requirements on the contents of client agreements. It is the lawyers to draft the necessary terms and condition. The compliance personnel will review agreements and T&C from time to time to identify places for improvement (to be more in line with current regulatory requirements).

    Circulars issued by regulatory bodies are regulatory requirements that the compliance personnel should handle (e.g. to form a project team, be the project owner/leader, responsible for system changes, procedures revision, training etc). They define every piece of written correspondence is regulatory requirements. I have came across occasion that the MA issued a circular to banks advising them to pay attention to certain topical issues. People (of course powerful people including the IA) were of the view that certain internal guidelines had to be issued by the compliance department (rather than the relevant operational departments).

    The compliance personnel was approached for ways of handling an account the client was deceased. (I think the operation personnel should have the knowledge to handles such accounts and they should consult the legal department instead.)

    External enquiries (e.g. a solicitor requesting information on a deceased account/ a bankrupt account; IRD requesting information for clients; listed companies asking for information concerning shareholders under S.329 SFO, lawyers requesting information on holders of a particular stock for due diligence purpose etc) are handled by compliance because the compliance personnel are to handle all correspondence with regulators.

    The compliance department is responsible for conducting training on Prevention of Money Laundering because PML is a regulatory requirement. [The compliance personnel should be guest speaker on specific areas rather than the lecturer.]

    The listing is not exhaustive. I have many more for interested viewers.
    _____________________________________________________

    To understand the concept of compliance and to define the responsible is not that difficult. Business/ operation of the company should go on no matter there is a compliance officer or not. Hence, the compliance department should be transparent. They should then allocate daily routines to the most appropriate department. You can live without a compliance department but you cannot let the daily works stand still. What does the compliance personnel do then? They are professional and they will do things to keep their job. They will design and establish staff dealing policy and reporting system according to provisions of the Code. They will establish policy/guideline on various operational areas (statements of account, contents of client documents, standing authority) for relevant departments to follow or to establish the detailed operational steps. They will do research on your enquiries. They will keep themselves busy so long as others give them a hand. The list is not exhaustive. Therefore, just leave them alone and they will do their job. They are there to help and not to cause others any troubles (like the IA).

    ReplyDelete
  2. Anonymous6:31 PM

    Having put forward my (numerous) experience of encountering (numerous) incidences of misconception of compliance, I will try to describe my understanding of the relationship between compliance/IA/ Legal/ Risk Mgt. (For your info, I have come across listed company’s co. secretary that completely misunderstands the role of compliance. I want to cry.)

    I agree with your description of the relationship between Legal and Compliance. Yet, I have said that a lot of people thinking that compliance personnel are lawyers/ specialised in or authority of the SFO. I hope that they will not ask the compliance officer something like the procedures of handling deceased/bankrupt accounts or whether the company is (legally) entitled to chase a client for his outstanding balance etc. which are more appropriate to be answered by the lawyers.

    With respect to Compliance v IA, the functions are blurred especially in the banking sector. I see that to certain extent attributable to MA’s view on Compliance. MA now requires banks to do “on-going monitoring” that is regular audit on areas that have a compliance concern. One of the consequent is that the IA now defines a lot of areas that are of compliance’s concern and hence must be reviewed by the compliance personnel because in their eyes, compliance is just a control built in the whole control system. (I have cited example previously when I mentioned the MA requests compliance to verify correctness of input of relevant individuals’ information.) This shift of responsibility allows the IA to avoid confrontation with say the powerful front line personnel. My view is, I accept this (I have come across at least one renowned firm’s IA department called Compliance Department) providing that most of the resources currently enjoyed by IA is transferred to Compliance as the later will step inside their shoes in performing routine reviews and reporting. Some banks have set up their monitoring teams within the compliance department.

    Regarding Compliance v Risk, I see every department is a risk management department and the supervisors of those departments are risk managers. Why not? Every people in an organisation is managing certain risks by performing his daily routines. This risks include credit, legal, operational, reputation… The significance of each type of risk to a position varies pertaining the particular function/position. Of course, the risk management function of some departments (e.g. Treasury) has established as a unique function. Nowadays, even accounting departments employ people specialised in regulatory reporting perhaps due to the complexity of the reporting requirements. The Compliance Department is therefore, performs a function like a group/centralised function to which compliance officers of various units report to and get advice from. The line department have to take charge of system changes, design operational procedures etc under the supervision of the centralised compliance function. Without this pyramid structure, which compliance personnel has the ability to take care of say a company of say 500 to 1000+ employees with huge number of operating units as well as the universe of regulatory rules?

    ReplyDelete
  3. Many people have assigned non-compliance related tasks to compliance officers. On the other hand, some people under other control functions pretend to be compliance experts.

    Some time ago, an internal auditor asked me whether a particular employee had unlicensed dealings. I said "no" and quoted the relevant sections in SFO to support my point. She didn't believe me (but not giving any counter-argument) and just told me that his friend (also a compliance officer) advised her otherwise.

    Come on, this is what sort of professional? No respect on facts and legal reasoning, but have the gut to put a word on compliance issues. When has compliance become a profession for "cats & dogs"?

    ReplyDelete
  4. Anonymous12:57 PM

    Internal auditors pretending to be modest and ignorant are equally disgusting.

    I was once approached by one internal auditor asking me my view on something. I treated that was a general chat and in fact the occasion that the internal auditor raised the issue was while we were on the way back to the office after attending some kind of meeting. I provided my view.

    In fact that auditor subsequently used my information for giving a response to an enquiry. Yet, that person in the reply email which was distributed to many people, said something along the line of "... as per XXX's advice..." (XXX was me). Luckily my view was not incorrect and no one drag on the issue eventually.

    So, lovely pets could turn into beast.

    ReplyDelete
  5. Anonymous11:26 PM

    I wonder whether ban and I are working in the same organisation because the experience is almost the same.

    But what is the worst is that legal and compliance people who are supposed to be technical knowledge oriented only spot typos and grammatical mistakes.

    ReplyDelete
  6. Anonymous11:30 PM

    Regarding IA, they will "seek compliance's professional advice" before issuing auidt point. Maybe its the "new style" of co-operation between the departments.

    ReplyDelete