In my last blog, I examined the failures of a financial services business where they were at their most basic. In this blog, I am looking at the opposite end of the scale and the maturity of compliance cultures in firms.
Compliance maturity has been around for a long time. In 2009 Thomson Reuters’ Compliance Weekly undertook a compliance maturity survey which included 10.9% from the finance industry. The view at that time was that “Chief compliance officers apparently still have lots of work ahead to turn their compliance efforts into strong, mature programs that can handle the broad range of risks”. In July 2015, members of Cork University in Ireland published in IJBEX* their “financial industry maturity model for anti-money laundering” to help firms be AML/CFT compliant albeit acknowledging their research was still at an early stage.
In Guernsey, the GFSC’s 2015 Annual Report, the Director of Enforcement, Simon Gaudion, made the following comment: “One of the major topics for compliance professionals currently is regarding ‘compliance maturity’ which clearly needs to be set by the board and encompasses ethics, culture and corporate governance. Cases identified this year once again bring into question many of these issues around those areas and we would ask firms to consider whether the right tone and culture is being set from the top of their organisation.”
So where are we in 2021?
It is widely accepted that to ensure staff behave ethically and comply with the law and good corporate governance principles, the board needs to lead by example by living and breathing that culture. A business with such a team approach is not only more likely to adhere to the required legislation, so avoiding any supervisory action, but also reduce costs and increase client satisfaction.
But how do you know how compliance mature your firm is? One way is to undertake a Compliance Effectiveness Assessment which looks at how people, processes and technology help or hinder the firm in its aim.
In an effective compliance programme, people are the most important component but also the weakest link. The board needs to be able to support staff by giving them the training they need to promote the right behaviour backed up by a fully resourced compliance function who have a seat at their table. The processes properly documented will support staff to comply with the requirements; success being shown by a good reaction time to new regulatory changes, collaboration between different teams and the right level of evidence of the controls in place. Use of up-to-date technology that is appropriate for the particular business squares the circle.
Given that the update of the firm’s AML/CFT policies, procedures and controls were required to be approved by the Board by the 30th September 2020, this year would be a good time to identify a firm’s compliance maturity and consider if the right culture is being practised by the firm to ensure that those new policies and procedures are effective. Not only would such an assessment save money in the long run, but it would also comply with the requirements of the AML/CFT Handbook.
Under Rule 2.18 it states that “the board must consider the appropriateness and effectiveness of its compliance arrangements and its policy for the review of compliance at a minimum annually, or whenever material changes to the business of the firm or the requirements of Schedule 3 or this Handbook occur. A review of compliance is not only applicable to AML/CFT but also to the rules relating to the particular licensee’s business such as the COB Rules and the new Fiduciary and Pension Rules and Guidance and the Code of Corporate Governance which applies to all licensed companies.
A Compliance Effectiveness Review not only identifies where the firm is on the journey to compliance maturity but also what may be hindering its progress. The review usually consists of desktop study, surveys and interviews covering various aspects of the firm and, depending on the completeness of the review, can take up to 12 weeks. Whilst this in-depth approach may be suitable for some firms, an overview can be completed in as little as a week to identify the main issues a firm may have to recommend any further investigation that would be beneficial. A third party’s objective consideration of the business’ objectives and risk assessments as well as interviewing the relevant staff can be surprisingly useful in identifying the priorities for review in any compliance monitoring programme.
By believing in the importance of compliance, the board can instill in the business a proactive approach that encourages the identification of opportunities that arise from new regulations – a win-win for all concerned. By knowing the level of the firm’s compliance maturity, the board can identify and prioritise the right doors to open to reap those benefits.
If you wish to have assistance in reviewing how compliance mature your firm is, then please feel free to contact me for a no obligation discussion.
* International Journal of Business Excellence (IJBEX), Vol. 8, No. 4, 2015