Ali Abbas
Individual accountability: a guide to staying out of trouble
It doesn’t take academic researchers to see that financial regulators across the globe are cracking down on individuals within regulated organisations. Enforcement actions against senior executives are becoming commonplace, with everyone from accounting officers, compliance officers and even CEOs getting into trouble.
Of course, individual accountability for malpractice or missteps is not a new phenomenon – but there is little doubt that enforcement action is becoming more common and more severe. We’re also seeing enforcements higher up the food chain – no longer are regulators focusing on broker-dealers – they’re coming for the C-Suite.
Why are we seeing increased focus at a higher level? It could be for any number of reasons; perhaps the C-Suite are becoming increasingly non-compliant as for many years, they avoided the regulatory gaze. Or perhaps the regulators are now holding the C-Suite to account for the actions of their direct reports – after all, regulators have said for some time they want to see a “culture of compliance” built from the top down.
Whatever the reason, regulators are currently unabating in their actions. With that in mind, we’ve listed 7 ways you can keep out of trouble, avoiding personal fines and ultimately suspension.
1. Know what’s expected of you
Understanding your roles and responsibilities may seem like an obvious starting point, but given the number of instances in which people get it wrong, it’s always worth taking stock. In the UK, under the Senior Managers Certification Regime (SMCR) there should already be clearly defined roles and responsibilities within financial services. Away from the UK – or outside of financial compliance – understanding what the regulator expects of you is still imperative.
Accountability is not a static beast and regulatory expectations grow and change to suit market movement. In the EU, for example, the EBA recently set out renewed expectations for AML compliance officers. In the US, the SEC recently considered what a CCO liability regime may look like. It’s important to stay up to date with what current regulatory expectations are, but also what proposals are being mooted for the future. It is often this future-focussed information that provides insight into what the regulator may come to expect in time – if you can get ahead of this, even better.
Of course, outside of regimes such as SMCR, there are several ways to keep tabs on regulatory expectations. Dear CEO letters and regulatory messaging can be a good starting point, combined with clear oversight of the regulations and guidance that determine your responsibilities. Technology such as CUBE allows you to have a holistic oversight of all relevant rules, guidance and obligations that determine the parameters of your role.
2. Know who is responsible for what
This is a clear follow on from the first point. Once you understand what the regulator expects of you, you need to understand what facets of compliance and operations your team is responsible for.
As regulatory scrutiny moves away from the junior members of the trade floor, they’re looking to managers, executives and C-suite to ensure they have effective oversight of their departments.
There are myriad ways to keep track of the responsibilities of your direct reports – more outdated ways include spreadsheets and workflow management tools. More advanced technology now offers integrated workflows within compliance software, so you can see individual responsibilities tagged in the same UI as the compliance function is carried out.
3. Maintain defensible audit trails
When regulators ask for information around corporate governance, they want clear evidence of the work carried out, by whom, and across which channels. This can be provided in the form of reports, excel spreadsheets or other.
While these systems are generally effective, they can be fragmented and rely on significant manual output – which can lead to indefensible gaps. This leaves you scrambling around, trying to patch the holes and understand which piece goes where. This doesn’t look good to the regulator and can raise eyebrows, even where non-compliance has not occurred.
As above, more advanced RegTech will house this information under one roof, allowing you to pull defensible audit trails and watertight reports in an instant, rather than relying on third parties or adding to existing compliance workloads.
4. Know where your weaknesses are, and show you’re working to improve
Time and again, regulators take enforcement action against compliance officers or senior executives who knew there was a problem, but failed to act. Whether this stems from a failure in ensuring that technology is operational and operationally resilient, or whether it’s a failure in reporting or AML – inaction can be as serious as wilful bad action.
Having weaknesses in your compliance system isn’t unusual, you’re not alone. However, what is important is to understand those weaknesses and be actively working to strengthen them.
Whether this means calling out low-level misconduct to prevent greater harm – or whether it means investing in a RegTech solution to overhaul compliance end-end. If the regulators come knocking, they’ll be far more forgiving if you’re working to make compliance better.
5. Make compliance an ongoing process – not just ‘one and done’
So, you’ve patched up the gaps in your system. Time to sit back and relax, right? … not so fast.
As the SEC recently made patently clear, compliance is not a “check box exercise”, it’s a constant evolution. As soon as one hole is patched, another is starting to show.
It’s not your fault, it’s just the way that regulations work – keeping up with the pace, volume and velocity of regulatory change is hard. In the last year alone, CUBE captured over 300 million pages of new or amended regulations – understanding what that means for your business is not an easy task.
It is essential, therefore, that you can demonstrate to the regulator that you are treating compliance as an ongoing exercise – always striving to improve. Knowing what regulations apply, what regulations will apply, and taking steps to implement them across every line of business will be instrumental to keeping in the regulators’ good books.
6. Share the load
Compliance isn’t always easy and at times can be overwhelming. Of course, technology will assist you greatly in your compliance endeavours, so too will embedding a “culture of compliance”. As SEC staff recently said, this is what they expect of regulated institutions.
Transforming company culture isn’t easy, but should be taken seriously in your quest to succeed. Training and knowledge sharing are essential, but tick-box exercises and PowerPoint presentations are often ineffective.
Consider instead alternative ways to embed a good compliance culture within your organisation. Perhaps get creative with training programs, instigating interactive knowledge sessions where individuals can ask questions and understand the repercussions of non-compliance.
If you can embed a culture of compliance within your organisation, the chances of non-compliance are greatly reduced. Creating a watertight compliance operation where technology and employees work in harmony serves to benefit you and the wider organisation: your job will be made easier and your organisation will likely develop a better reputation in the marketplace.
In a market where investor preference is moving in favour of transparency, compliance is a competitive advantage. It’s a win-win.
7. Don’t bury your head in the sand
Transparency, honesty, resilience. These are the three key tenets of financial regulation and should be at the the forefront of your mind in your day-to-day.
If you muck up – confess and make amends. If you see gaps, work to patch them up. If you see an employee acting in a way that poses risk to the business, call them out. It might be the more difficult choice, but regulators will look on you fondly.
