As we all know, the Compliance function is now one of the most important tools in a firm’s fight to minimise risk. It has been a bit of a battle to get Boards to realise that the Compliance Department should be treated as a trusted partner but, if its objectives are successfully integrated into all processes, it can be a partner which helps do business. This is not least because of the possible reputational damage that can arise if there is non-compliance but also because there are, for example, benefits of having a smooth, efficient and speedy CDD collection service as it can enhance customer relationships.
However, as there are more and more areas a Compliance Department should be looking at, what is the role of Compliance now?
Compliance is defined as “the conformity in fulfilling official requirements” but considering the vast array of official requirements this could be so many things. When I started my career in law in the late 1980’s, we did not think of compliance as a distinct department but just a general responsibility. We had to comply with all necessary legislation no matter what law we were advising on and that included compliance in respect of, amongst other things, confidentiality and data protection, insurance, health and safety and employment. It wasn’t until April 1994 when it started to be a question of whether we needed to see a client’s passport or not and that’s when to me the Compliance Department became a reality.
More than 20 years later, the Compliance Department has evolved from just looking at the AML requirements to looking at the many new threats and concerns which need to be addressed daily. To mention a few issues, we have the EU General Data Protection Regulations, the OECD Common Reporting Standard for the exchange of tax information, and all the changes that may come along after the 23rd June with a possible BREXIT.
The EU General Data Protection Regulations come into force in 2018 and bring in the new concepts of the right to be forgotten, data portability and data breach notification. As to the CRS, so far 55 countries have committed for the first exchange of information by 2017 and, of course, this includes the Crown Dependencies; Guernsey’s regulations came into force on the 1st December 2015. If the UK decides to leave the EU, then Protocol 3 will need to be renegotiated and this may not be on such favourable terms.
But should it be the Compliance Department that is responsible or should other departments be dealing with the issues? I think that depends on the model in your firm and the resources you have but, whatever they be, clear lines should be drawn to ensure each person and each department knows their responsibilities so nothing falls between the cracks.
To me, the most pressing and important area which must not fall foul of blurry lines of responsibility is the EU General Data Protection Regulations. Whilst 2018 seems a long time away, due to the extent of its coverage, work must begin now. Firms need to review their operations, risks and controls to be ready not only to protect themselves from threats but to stand out from the crowd. The role of Compliance as a trusted partner, in my mind, is to get together as many other Departments as possible to discuss your firm’s response. That’s, of course, if it hasn’t happened already.
There are opportunities and work has already begun in earnest to put Guernsey in a great position. As PWC said in its 2015 report – let’s establish the Island as a ‘Trusted Location’ for international data. Why not? By having the right components in place it will enable the finance industry and Guernsey to embrace these opportunities. And if successful, we will all see the benefits.